Capital One Fined $80 Million for 2019 Data Breach

The Office of the Comptroller of the Currency (OCC) has fined Capital One $80 million over an extensive data breach. A former software engineer accessed information on Captial One customers and potential customers. 

The fine was issued after the OCC determined that Capital One did not have enough risk management controls in place ahead of the incident. The OCC noted the company's "failure to correct the deficiencies in a timely manner."

The Board of Governors of the Federal Reserve System also issued a cease and desist order against the company. The board ordered Capital One to adopt an “enterprise-wide risk management program” to identify future security risks.

Paige Thompson, a former Amazon employee, was indicted by a federal grand jury and charged with wire fraud, computer fraud, and computer abuse in 2019. She hacked Capital One and other unnamed entities' networks.

Thompson, who faces up to 25 years in prison, was caught after she posted about the hack on GitHub, a software development platform. Another user who saw the post reached out to Capital One, who subsequently contacted the FBI.

The indictment alleges that Thompson created “scanning software” that allowed her to access the company's cloud computing business, which had “misconfigured their firewalls.” As well as accessing millions of customers' details, Thompson also used the computer servers to “mine cryptocurrency for her own benefit.”

In addition to Capital One, Thompson allegedly stole data from a non-U.S. telecommunications group, a public research university, and a state agency. Cybersecurity firm Cyberint named the entities as U.K.-based Vodafone, Michigan State University, and the Ohio Department of Transportation.

Thompson is accused of stealing the personal information of more than 100 million Capital One customers and potential customers based in the U.S. The details included Social Security numbers and bank account numbers. She also accessed an additional six million Canadian customers' details.

In 2019, Capital One estimated that 14,000 credit card customers' Social Security numbers were accessed, while 80,000 bank account numbers were compromised. Also, one million Canadian customers' Social Security numbers were compromised.

After the fine was issued, a spokesperson for Capital One told The Hill that "safeguarding our customers’ information is essential to our role as a financial institution. The controls we put in place before last year’s incident enabled us to secure our data before any customer information could be used or disseminated and helped authorities quickly arrest the hacker."

The spokesperson also said, "In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders." The individual said, "We appreciate our regulators’ recognition of our positive customer notification and remediation efforts, and remain committed to working closely with them to ensure that we meet the highest standards of protection for our customers.”