By Pete Schroeder
WASHINGTON (Reuters) – Capital One Financial Corp
The fine, announced Thursday by the Office of the Comptroller of the Currency, punishes the bank for failing to adequately identify and manage risk as it moved significant portions of its technological operations to the cloud.
“Safeguarding our customers’ information is essential to our role as a financial institution,” said a bank representative in a statement. “In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders.”
In July 2019, the bank disclosed that personal information including names and addresses of about 100 million individuals in the United States and 6 million people in Canada were obtained by a hacker. The suspected hacker was a former employee of Amazon Web Services, a cloud provider where the bank had moved some of its data.
The OCC said in its consent order that the bank failed to identify and manage risks leading up to the move to cloud storage, and lacked sufficient network security and data loss prevention controls. The regulator also said that when internal auditing did identify issues, the bank’s board failed to hold management accountable.
The 2019 breach did not expose credit card account information, but about 140,000 Social Security numbers and 80,000 linked bank account numbers were compromised.
The OCC also ordered the bank to overhaul its operations to ensure it is adequately guarding against general cybersecurity risks and risks specific to cloud operations, and submit those plans for review. The bank faces similar heightened oversight from the Federal Reserve.
(Reporting by Pete Schroeder in Washington; Editing by Chris Reese and Matthew Lewis)