Capital One and Capital One Bank (USA) were slapped with an $80 million civil money penalty by the Office of the Comptroller of the Currency on Thursday for failing to establish sound risk management processes and internal controls related to the company’s 2019 data breach.
The breach last year was announced in July a hacker obtained the personal information of approximately 100 million individuals in the United States and approximately six million individuals in Canada. On the same day Capital One announced the breach, the Department of Justice arrested a former Seattle technology company software engineer, Paige Thompson, in connection with the breach.
According to the criminal complaint, Thompson posted on the information-sharing site GitHub about her theft of information from the servers storing Capital One data. The intrusion occurred through a misconfigured Web application firewall that enabled access to the data.
“In or around 2015, the bank failed to establish effective risk assessment processes prior to migrating its information technology operations to the cloud operating environment,” the OCC said in its consent order, which was accompanied by a cease-and-desist order. “The bank also failed to establish appropriate risk management for the cloud operating environment, including appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts.”
The OCC identified internal audit failings as well. “The bank’s internal audit failed to identify numerous control weaknesses and gaps in the cloud operating environment,” the consent order stated. “Internal audit also did not effectively report on and highlight identified weaknesses and gaps to the audit committee.”
When internal audit did raise certain concerns, “the board failed to take effective actions to hold management accountable, particularly in addressing concerns regarding certain internal control gaps and weaknesses,” the consent order stated.
For all these reasons, such deficiencies constituted “unsafe or unsound practices” and resulted in noncompliance with the Interagency Guidelines Establishing Information Security Standards, the OCC said. It did, however, credit Capital One’s customer notification and remediation efforts. Capital One neither admitted nor denied the findings.
In a separate action, the Federal Reserve Board announced a cease-and-desist order against Capital One resulting from the data breach. Under that order, Capital One must enhance its risk management program and related governance and controls, specifically around cyber-security and information security. Capital One must submit to the Federal Reserve Board, which supervises the bank holding company, a series of written plans within 90 days as to how it intends to achieve these objectives.