In July 2019, Capital One Financial announced that a data breach occurred. An outside individual gained unauthorized access to the bank's customer details. On August 8, 2020, Capital One was ordered to pay $80 million as a civic penalty by the Office of the Comptroller of the Currency (OCC). The OCC said that Capital One’s security practices were woefully insufficient.
The Federal Reserve’s board of governors issued a cease and desist order against the bank. The board also ordered Capital One to adopt an “enterprise-wide risk management program” to identify future security risks.
When did the Capital One data breach occur?
Capital One’s data breach occurred in March and April 2019. However, the bank didn't learn about the breach until July last year. Paige Thompson, a former Amazon Web Services employee, broke through Capital One's firewall to access customers' details. Capital One was using Amazon Web Services to store its data. Thompson was indicted by a federal grand jury and charged with computer fraud, wire fraud, and computer abuse. She faces up to 25 years in prison.
What was the extent of Capital One's data breach?
The data hack affected about 100 million people in the U.S. and six million people in Canada. The hacker gained access to nearly 140,000 U.S. customers’ social security numbers and 80,000 linked bank account numbers. She also accessed the names, addresses, postal codes, zip codes, credit scores, credit limits, phone numbers, and other information for an undisclosed number of people.
How was the Capital One data breach discovered?
The hacker posted the information about the theft on the software development platform, GitHub. A GitHub user alerted Capital One through an email about the possible data breach on July 17, 2019. The email contained a link to leaked information on Thompson’s GitHub account. Capital One contacted the FBI.
Is Capital One a safe bank?
After such a massive data breach, is Capital One is a safe bank? During the data breach investigation, the OCC said that the bank's security practices weren't sufficient. The OCC determined that the bank’s board of directors “failed to take effective actions to hold management accountable.” The authorities also said that the hacker was able to exploit a “configuration vulnerability” to extract the data. The OCC has ordered that Capital One establish a compliance committee to improve its security.
According to a Capital One spokesperson, the controls put in place by the company before the breach, “enabled us to secure our data before any customer information could be used or disseminated and helped authorities quickly arrest the hacker.” The spokesperson also added that since the incident the bank has invested more resources to strengthen its cyber defenses. Despite the breach, Capital One is considered to be fairly safe. The bank acted quickly after the breach alert. Capital One didn't allow leaked customer information to spread.