Capital One to pay $80M in connection with massive data breach
Capital One Financial has reached settlements with two federal banking regulators in connection with a 2019 hacking incident that resulted in a massive compromise of customer data.
One of the consent agreements released Thursday said the Office of the Comptroller of the Currency determined that the McLean, Va.-based lender failed to effectively assess risks in advance of its migration of information technology operations to the cloud.
The company agreed to pay $80 million to the OCC without admitting or denying the allegations. It has moved ahead with its cloud migration efforts in the wake of last year’s data breach.
The settlements with the OCC and the Federal Reserve Board came a little more than a year after the arrest of a former Amazon Web Services employee for allegedly hacking Capital One’s customer data. Capital One was using Amazon Web Services, a subsidiary of the Seattle-based tech giant that offers cloud computing services.
The hack compromised personal data on roughly 100 million Americans, and approximately 6 million Canadians, who either have a Capital One credit card or have applied for one. Capital One has said that roughly 140,000 Social Security numbers were exposed, as were 80,000 bank account numbers.
The OCC linked the data breach to problems with Capital One’s cloud migration plan, dating back to 2015. The agency alleged that Capital One failed to appropriately implement certain network security controls, as well as adequate controls for the prevention of data losses.
The OCC also found that Capital One’s internal audit unit failed to identify numerous weaknesses and gaps in the cloud operating environment, and that the company’s board failed to take effective action in response to certain concerns that the internal audit unit did raise.
A Capital One spokesperson said in an email that controls the company put in place before the breach enabled the data to be secured before customer information could be used or disseminated, and also helped authorities to arrest the hacker quickly.
Capital One did get credit from its regulators for efforts it made in the wake of the breach, including notifying customers. The Capital One spokesperson said that the company has invested significant resources into further strengthening its cyberdefenses in the year since the incident.
“We appreciate our regulators’ recognition of our positive customer notification and remediation efforts, and remain committed to working closely with them to ensure that we meet the highest standards of protection for our customers,” the company spokesperson said.
Under the settlements, Capital One agreed to develop and implement action plans around cybersecurity.