Capital One Financial Corp has been fined $80million by a top banking regulator for a 2019 hack that comprised the personal information of 106million credit card holders and applicants.
The Federal Reserve Board announced Thursday a cease and desist order against Capital One, based in McLean, Virginia, for the ‘significant data breach’.
The Board also demanded the company enhance its risk-management program and related governance and controls around cybersecurity and information security.
The hack took place when the bank transferred information-technology operations to the public cloud. It was one of the largest-ever data breaches of a big bank.
The Office of the Comptroller of the Currency said the bank failed to ‘establish effective risk assessment processes’ before the cloud transfer and failed to ‘correct the deficiencies in a timely manner.’
Capital One Financial Corp has been fined $80million by a top banking regulator for a March 2019 hack that comprised the personal information of 106million credit card holders and applicants
The bank said it has already beefed up its cybersecurity and made many of the federal required changes.
Prosecutors accused alleged hacker Paige A. Thompson of breaking through the bank’s firewall to access data it stored on Amazon’s cloud service
‘In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders,’ Capital One said in a statement to the Wall Street Journal.
Prosecutors accused alleged hacker Paige A. Thompson of breaking through the bank’s firewall to access data it stored on Amazon’s cloud service.
The hack exposed addresses, dates of birth, self-reported incomes of indivuduals and small-business owners that applied for Capital One credit cards between 2005 and early 2019.
Some Social Security numbers, bank account numbers, credit scores, payment histories and credit-card spending limits also were compromised in the hack.
The bank said it had controls in place before the hack and helped authorities catch the alleged hacker.
Thompson has pleaded not guilty to charges of wire fraud and computer fraud and abuse. Her trial is slated for next year.
She allegedly began attempting to access the bank’s information in March 2019.
Capital One only learned about the hack months later from an outside researcher.
Before the breach was exposed to the public Capital One employees raised concerns about high turnover in its cybersecurity unit and the failure to quickly install software to help search for and defend against hacks.