Capital One hit with $80m fine by US regulators over 2019 data breach

Capital One must take steps to address shortcomings in its cloud risk operations plan after being hit with an $80m fine for a 2019 data breach that affected 106 million customers in the US and Canada.

A consent order issued by the US Treasury Department’s Office of the Comptroller of the Currency (OCC) said the company engaged in “unsafe and unsound practices, including those relating to information security” and failed to “establish effective risk assessment processes” before migrating its IT systems to the cloud.

This allegedly paved the way for an unauthorised third party to gain access to the social security numbers of 140,000 of the firm’s credit card customers, plus the bank account details of 80,000 people.

The consent order said: “In or around 2015, the bank failed to establish effective risk assessment processed prior to migrating its information technology operations to the cloud operating environment, including appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts.

“The bank’s internal audit failed to identify numerous control weaknesses and gaps in the cloud operating environment.”

Also, any “weaknesses” that were picked up during the internal audit were either not effectively reported on or highlighted to senior management, or the board failed to take “effective action” on them, the order added.

“[The company] engaged in unsafe and unsound practices that were part of a pattern of misconduct,” it said.

However, the document acknowledged that “the bank has begun addressing the identified corrective action and has committed to providing resources to remedy the deficiencies”.

As previously reported by Computer Weekly, the alleged perpetrator of the hack was former Amazon Web Services software engineer Paige Thompson, who was arrested in connection with the breach in July 2019.

In a statement at the time, Capital One said it had received assurances from the FBI  that none of the data accessed had been used to commit fraud or shared by those responsible for the breach.

Thompson is due to stand trial in February 2021, having previously pleaded not guilty to all charges.

In a separate statement, the OCC said its decision to issue the $80m was in direct response to the sequence of events that played out, as well as Capital One’s failure to address these issues in a timely manner.

“In taking this action, the OCC positively considered the bank’s customer notification and remediation efforts,” the OCC said in its statement.

“While the OCC encourages responsible innovation in all the banks it supervises, sound risk management and internal controls are critical to ensuring bank operations remain safe and sound and adequately protect their customers,” it added. “The OCC found the noted deficiencies to constitute unsafe or unsound practices.”

Computer Weekly contacted Capital One for comment on this story, and was told by a company spokesperson that since the breach the company has invested “significant additional resources” into tightening up its cyber defences, and made “substantial progress” in addressing the concerns outlined by the regulators above. 

“Safeguarding our customers’ information is essential to our role as a financial institution. The controls we put in place before last year’s incident enabled us to secure our data before any customer information could be used or disseminated and helped authorities quickly arrest the hacker,” the spokesperson added. 

“We appreciate our regulators’ recognition of our positive customer notification and remediation efforts, and remain committed to working closely with them to ensure that we meet the highest standards of protection for our customers.”