Capital One to pay $80 million fine for 2019 hack that exposed 100 million accounts
Capital One has agreed to pay $80 million to settle federal charges over a 2019 hack of its computer systems that was one of the largest financial data breaches ever. More than 100 million credit card applications were exposed in the cyberattack, which was allegedly carried out by a single individual.
The accused hacker, former Amazon web services employee Paige Thompson, was arrested in July 2019 and charged in connection with the incident. Thompson has pleaded not guilty, and her trial has not begun.
In a consent order filed Thursday, the Office of the Comptroller of the Currency said Capital One had neglected to protect customer data. Specifically, the federal bank regulator said the company had failed "to establish effective risk assessment processes" before migrating some of its technology operations to the cloud. The OCC also said the credit card issuer has a history of lax and ineffective cybersecurity going back to at least 2015.
After concerns about Capital One's security were raised in an internal audit, the company's board of directors failed to take action or hold management accountable for the lapses, the OCC added. The consent order doesn't offer details on the nature of those lapses.
In a statement, Capital One said, "Safeguarding our customers' information is essential to our role as a financial institution." The company also said that controls put in place before the data breach allowed it to help the FBI quickly arrest the alleged hacker and prevent illegal usage of customer data.
"In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders," Capital One said.
Law enforcement officials have said Capital One was tipped off to the hack by someone who had been in an online discussion with Thompson and reported it to the bank.
Beside paying the $80 million fine, Capital One is also required under the OCC order to establish an independent committee to assess if it has any continuing cybersecurity issues and report with fixes with in 60 days.