Capital One will pay an $ 80 million civil penalty for its role in a 2019 security breach that exposed the personal data of more than 100 million customers, The Wall Street Journal reported. In a scathing report on its investigation into the breach, the Office of the Comptroller of the Currency, which is part of the US Treasury. said Capital One was aware that its security practices were woefully inadequate and that the company’s board “had failed to take effective steps to hold management accountable.”
The breach occurred in March and April 2019, but Capital One was apparently not aware of the issue until mid-July. That’s when someone directed the company to a public GitHub page where private data from Capital One was available. This led investigators to former Amazon cloud worker Paige Thompson, who has been charged with wire fraud and computer fraud. Authorities say Thompson was able to exploit a “configuration vulnerability” to extract information from Capital One customers and post it on message boards. She has pleaded not guilty to the charges and her trial is scheduled for next year.
“The OCC took these steps because of the bank’s inability to establish effective risk assessment processes before migrating large IT operations to the public cloud environment and the bank’s inability to correct deficiencies in a timely manner, ”the OCC said in a statement announcing the penalty.
As part of an OCC consent order, Capital One is to establish a compliance committee by the end of August, which will meet quarterly starting in October and provide updates. regular. The company is required to create an action plan to detail the steps it takes to improve safety.
A spokesperson for Capital One said in an email to The edge who controls the company set up before last year’s incident “allowed us to secure our data before any customer information could be used or released and helped authorities quickly stop the hacker.” Since the incident, the spokesperson added, the company has « has invested significant additional resources in strengthening our cyber defenses and has made substantial progress in meeting the demands of these orders. “
The penalty will be paid to the Treasury Department.
UPDATE August 8 10:38 a.m. ET: Adds a statement from Capital One spokesperson