A U.S. financial regulator has fined Capital One $80 million in connection with the 2019 data breach that compromised details on approximately 106 million people.
The Office of the Comptroller of the Currency, a bureau within the Department of Treasury, announced the penalty over the bank’s failure “to establish effective risk assessment processes” before moving “significant information technology operations” to the cloud. OCC also flagged the bank for not correcting “deficiencies in a timely manner.”
The bank also is required to improve its data security practices and update its approach to risk management as part of a consent decree with the OCC.
Capital One reported $28.6 billion in total revenue in 2019.
The McLean, Va.-based bank announced in July 2019 that a hacker had accessed information about 100 million credit card customers and applicants in the U.S., and another 6 million people in Canada. Customer addresses, income figures, birth dates were exposed, along with some Social Security numbers and bank account numbers.
It was one of the largest breaches ever reported at a major U.S. financial institution. Prior to the security incident, Capital One had differentiated itself in the banking world by embracing emerging technologies, like the cloud, where the company’s chief information officer previously said the bank could store data more securely “than even in our own data centers.”
Police have since arrested Paige Thompson, a former Amazon Web Services employee, of hacking Capital One’s firewall to take data from its cloud service. Thompson has pleaded not guilty, and her trial is scheduled to begin in Seattle next year.
Since the breach, Capital One has invested “significant additional resources into further strengthening our cyber defenses, and have made substantial progress” in improving its security, the company said in a statement.