Capital One fined $80 million for data breach involving 100 million Americans

Capital One has been fined $80 million by a Treasury Department bureau in connection to a 2019 breach that led to the data of around 100 million current and potential U.S. customers being illegally accessed. 

The Office of the Comptroller of the Currency (OCC) levied the fine, to be paid to the Treasury Department, against the banking group due to the OCC’s assessment that Capital One did not have enough risk management controls in place ahead of the 2019 hacking incident, and due to the group’s “failure to correct the deficiencies in a timely manner.”

In addition, the Board of Governors of the Federal Reserve System issued a cease and desist order against the company on Thursday in connection to the massive data breach, ordering Capital One to adopt an “enterprise-wide risk management program” to identify potential future security threats. 

The orders come almost a year after Paige Thompson, a former Amazon employee, was indicted by a federal grand jury for allegedly accessing and stealing sensitive data stored in the cloud from multiple companies, including Capital One. 

The indictment came after Thompson’s arrest for allegedly stealing the personal information of over 100 million Capital One U.S. customers and potential customers, including Social Security numbers and bank account numbers, and the data of an additional 6 million Canadian customers. 

Thompson was able to access the data through software that identified which customers of a cloud computing group had a “misconfigured web application firewall,” according to the Justice Department. Thompson then posted about her theft of the data on GitHub, with a user tipping off Capital One, and the banking company subsequently alerting the FBI. 

Thompson is awaiting trial, and faces up to 25 years in prison if found guilty. The Justice Department said at the time of Thompson’s indictment that there was no evidence Thompson sold or disseminated the stolen data. 

New York Attorney General Letitia James opened an investigation into the data breach last year, while members of Congress also demanded answers around the data breach. 

A spokesperson for Capital One told The Hill that “safeguarding our customers’ information is essential to our role as a financial institution. The controls we put in place before last year’s incident enabled us to secure our data before any customer information could be used or disseminated and helped authorities quickly arrest the hacker.”

“In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders,” the spokesperson said. “We appreciate our regulators’ recognition of our positive customer notification and remediation efforts, and remain committed to working closely with them to ensure that we meet the highest standards of protection for our customers.”  

When Capital One disclosed the data breach incident in 2019, it noted that the vulnerability allegedly exploited by Thompson had been fixed and vowed to “incorporate the learnings from this incident to further strengthen our cyber defenses.”

-Updated at 5:30 p.m. to include a statement from Capital One.