Capital One fined $80M for 2019 data breach

Federal bank regulator the Office of the Comptroller of the Currency announced Thursday it has fined McLean-based Capital One Financial Corp $80 million for what it calls unsafe and unsound information technology practices tied to computing operations in its cloud environment. Capital One is the largest bank in Virginia, according to 2019 deposits.

In 2019, more than 100 million people were affected by a data breach at Capital One in which Social Security and bank account numbers and card applications were compromised. A Seattle software engineer hacked into the bank’s servers and prosecutors later said the hacker also had terabytes of stolen data from 30 other organizations, including companies and universities.

“Safeguarding our customers’ information is essential to our role as a financial institution,” says a Capital One spokesperson. “The controls we put in place before last year’s incident enabled us to secure our data before any customer information could be used or disseminated and helped authorities quickly arrest the hacker.”

The OCC is also requiring that Capital One carry out a comprehensive action plan to create additional security oversight mechanisms.

“In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses and have made substantial progress in addressing the requirements of these orders,” says a Capital One spokesperson.

The OCC’s actions are in conjunction with a cease and desist order filed against Capital One by the Federal Reserve Board, which oversees the nation’s monetary policy. The Fed action, however, does not include an additional monetary penalty.

“The OCC took these actions based on the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner,” according to a statement released Thursday. 

Capital One has agreed to pay the fine and put in place additional security controls.

“While the OCC encourages responsible innovation in all banks it supervises, sound risk management and internal controls are critical to ensuring bank operations remain safe and sound and adequately protect their customers,” according to the OCC statement.

Subscribe to Virginia Business.

Get our daily e-newsletter.