Capital One will pay an $ 80 million civil fine for its role in a 2019 security breach that exposed the personal data of more than 100 million customers, The Wall Street Journal reported. In a devastating report on his research in the breach, the Office of the Comptroller of Currency, part of the US Treasury. said Capital One was aware that its security practices were woefully inadequate, and that the company’s board of directors “failed to take effective action to hold management accountable.”
The breach took place in March and April 2019, but Capital One was apparently not aware of the issue until mid-July. That’s when someone tipped the company to a public GitHub page where private Capital One data was available. That led researchers to former Amazon cloud employee Paige Thompson, who was accused of wire fraud and computer fraud. Authorities say Thompson was able to exploit a “ configuration vulnerability ” to extract the information from Capital One’s clients and post it on bulletin boards. She pleaded not guilty to the charges and her trial is scheduled for next year.
“The OCC took these actions based on the bank’s failure to establish effective risk assessment processes prior to the migration of key IT operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner,” said the OCC in an announcement the punishment.
As part of a permission order from OCC, Capital One is due to establish a compliance committee in late August, which meets quarterly from October and is regularly updated. The company must draw up an action plan outlining the steps it will take to improve security.
A Capital One spokesman said in an email The edge that the company set up prior to last year’s incident “enabled us to secure our data before customer information could be used or disseminated and helped authorities quickly arrest the hacker.” Since the incident, the spokesperson added, the company has done just that ‘have invested significant additional resources to further strengthen our cyber defenses and have made significant progress in meeting the requirements of these orders. ”
The fine is paid to the Treasury department.
UPDATE Aug 8 10:38 AM ET: Adds statement from Capital One spokesperson