Capital One fined $80m for 2019 data breach
The US Office of the Comptroller of the Currency (OCC) has levied an $80 million civil penalty against Capital One.
The OCC says Capital One failed to establish effective risk assessment
The fine relates to a July 2019 data breach which exposed the records of more than 100 million customers.
A hacker accessed American and Canadian Capital One customers’ data hosted on Amazon Web Services (AWS).
The breach exposed names, addresses, phone numbers, credit scores, payment histories and social security numbers.
Former AWS engineer Paige Thompson is awaiting trial for computer fraud and abuse in connection with the breach.
Prosecutors said that Thompson built a customised scanning tool designed to scan the web for misconfigured cloud servers. Thompson is due to stand trial in February 2021.
The OCC has taken its actions based on the bank’s “failure to establish effective risk assessment processes” prior to its migrating of “significant” amounts of data onto a public cloud.
According to the watchdog, Capital One internal audits also failed to identify numerous control weaknesses and gaps in the cloud operating environment.
“While the OCC encourages responsible innovation in all banks it supervises,” the regulator writes, “sound risk management and internal controls are critical to ensuring bank operations remain safe and sound and adequately protect their customers”.
On top of the fine, the OCC must complete a written plan for improving how it controls its cloud-based data.
The Federal Reserve has also asked Capital One to submit written plans on the improvement of its risk management practices.
The $80 million penalty will be paid into the US Treasury.
