Capital One has agreed to pay $80 million to settle charges stemming from the 2019 hacking incident that exposed data of more than 100 million customers, one of the largest attacks targeting financial data ever.
In a consent order, the Office of the Comptroller of the Currency said it assessed the civil penalty based on the bank’s failure to establish effective risk management prior to migrating information technology operations to the cloud, and due to the bank’s failure to correct deficiencies in a timely manner.
“While the OCC encourages responsible innovation in all banks it supervises, sound risk management and internal controls are critical to ensuring bank operations remain safe and sound and adequately protect their customers,” the OCC said.
The regulator said the bank’s lax practices dated back to 2015.
At the same time, the Federal Reserve filed a cease and desist order against Capital One as part of the consent order the bank entered into with it and the OCC.
As part of that order, the board of directors of Capital One has 90 days to submit a plan to improve risk management, internal governance, and controls. The bank will also have to give quarterly updates to the Fed showing its progress.
In July 2019, a 33-year-old former Amazon web services employee from Seattle, Paige Thompson, was arrested and charged in connection with the theft, which exposed Social Security numbers, credit card applications, home addresses, credit scores, and the bank account numbers of 80,000 secured credit card customers.
Thompson has pled not guilty.
“Safeguarding our customers’ information is essential to our role as a financial institution,” a Capital One spokesperson said in a statement. “In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses and have made substantial progress in addressing the requirements of these orders.”