Capital One will pay an $80 million civil penalty for its role in a 2019 security breach that exposed the personal data of more than 100 million customers, The Wall Street Journal reported. In a scathing report on its investigation into the breach, the Office of the Comptroller of Currency, part of the US Treasury. said Capital One was aware its security practices were woefully insufficient, and that the company’s board of directors “failed to take effective actions to hold management accountable.”
The breach happened in March and April of 2019, but Capital One was apparently not aware of the problem until mid-July. That’s when someone tipped the company to a public GitHub page where private Capital One data was available. That led investigators to former Amazon cloud employee Paige Thompson, who was charged with wire fraud and computer fraud. Authorities say Thompson was able to exploit a “configuration vulnerability” to extract the Capital One customers’ information and post it to message boards. She pleaded not guilty to the charges and her trial is scheduled for next year.
“The OCC took these actions based on the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner,” the OCC said in a statement announcing the penalty.
As part of a consent order from OCC, Capital One must establish a compliance committee by the end of August, which will meet quarterly beginning in October and provide regular updates. The company is required to create an action plan to detail what steps it’s taking to improve security.
A Capital One spokesperson said in an email to The Verge that controls the company put in place before last year’s incident “enabled us to secure our data before any customer information could be used or disseminated and helped authorities quickly arrest the hacker.” Since the incident, the spokesperson added, the company has “invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders.”
The penalty will be paid to the Treasury department.