Capital One was fined for failing to put in place necessary risk assessment processes


Capital One world headquarters. (Credit: Jmswllms0/Wikipedia.)

The US Department of the Treasury’s Office of the Comptroller of the Currency (OCC) has imposed a $80m in civil money penalty on Capital One and Capital One Bank (USA) over a 2019 hack.

The company was fined, as it failed to execute necessary risk assessment processes before moving its information technology operations to the public cloud network in or around 2015.

OCC said that the company has also failed to mitigate those issues in a timely manner.

According to OCC findings, the bank also failed to establish appropriate risk management for the cloud operating environment, including appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts.

The OCC said: “In taking this action, the OCC positively considered the bank’s customer notification and remediation efforts.

“While the OCC encourages responsible innovation in all banks it supervises, sound risk management and internal controls are critical to ensuring bank operations remain safe and sound and adequately protect their customers.”

Data breach compromised the personal information of the bank’s 106 million credit card holders

In July last year, Capital One confirmed a data breach, in which personal details of millions of North American customers were stolen

The breach compromised the personal information of the bank’s 106 million credit card holders, including approximately 140,000 Social Security numbers and 80,000 bank account numbers.

Former Amazon software engineer Paige Thompson was accused of hacking.

The OCC added: “The Bank has begun addressing the identified corrective action and has committed to providing resources to remedy the deficiencies.”