Capital One has agreed to pay an US$80 million penalty over its lack of preparation against a massive data breach last year, which exposed the personal financial information of over 100 million Americans.
In a regulatory filing, the Office of the Comptroller of the Currency (OCC) said that the bank had failed to establish proper risk assessment procedures in 2015 after it started using cloud storage technology. The regulator also determined that Capital One’s board failed to hold the managers in charge of the cloud storage’s security liable for their neglect.
On top of the penalty, Capital One was ordered to create plans to improve its security procedures within the next three months, a separate regulatory filing by the Federal Reserve said.
Capital One explained in a statement that it has worked on its cyber security measures since the hack.
“Safeguarding our customers’ information is essential to our role as a financial institution,” the bank said in a statement. “In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders.”
Tatiana Stead, a Capital One spokeswoman, told The New York Times in another statement that the bank had put controls in place before the hack occurred. She also confirmed that Capital One has been working on its security measures.
“In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders,” she said.
The hacker in the incident has been identified as Paige Thompson, a former Amazon employee who broke into Amazon’s servers on which Capital One’s cloud storage is based.
The data breach affected about 100 million individuals in the US, and another six million in Canada. Approximately 140,000 social security numbers were exposed as a result of the hack, as well as about 80,000 linked bank account numbers. Additionally, one million social insurance numbers of Canadian credit card customers were compromised.
Thompson was later arrested by federal authorities, and was charged with illegally accessing Capital One’s files.