Cloud Hosting

Dive Brief:

Capital One will pay an $80 million penalty for last years data breach involving more than 106 million accounts, regulators said Thursday.

The Office of the Comptroller of the Currency (OCC) said its consent order is based on the bank's "failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank's failure to correct the deficiencies in a timely manner."

Capital Ones data breach was one of the largest to hit a financial services company, affecting about 100 million people in the U.S. and another 6 million in Canada, the bank announcedlast year.

That hack occurred after a former employee of Capital Ones cloud hosting company, Amazon Web Services, gained access to the banks customer data by exploiting a misconfigured web application firewall.

The data, connected to credit card applications filed between 2005 and 2019, included names, postal codes, birth dates and self-reported income. The breach also exposed credit scores, credit limits, balances, payment history and fragmented transaction history from 2016 to 2018.

In its consent order, the OCC said the McLean, Virginia-based bank "failed to establish appropriate risk management"and "failed to identify numerous control weaknesses and gaps in the cloud operating environment."

The regulator said the banks board "failed to take effective actions to hold management accountable"and said the bank "engaged in unsafe or unsound practices that were part of a pattern of misconduct."

The OCC, however, said it "positively considered"the bank's customer notification and remediation efforts following the hack.

"Safeguarding our customers information is essential to our role as a financial institution," a Capital One spokesperson said. "The controls we put in place before last years incident enabled us to secure our data before any customer information could be used or disseminated and helped authorities quickly arrest the hacker.

"In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders," the spokesperson added. "We appreciate our regulators recognition of our positive customer notification and remediation efforts, and remain committed to working closely with them to ensure that we meet the highest standards of protection for our customers."

Original post:
Capital One to pay $80M penalty over 2019 data breach - Banking Dive