Capital One Financial Corp. is set to pay a huge $80-million fine to the Office of the Comptroller of the Currency (OCC) following its massive data breach in 2019, reports Reuters. The bank also faces a similar arrangement with the Federal Reserve.
The 80-million-dollar fine comes a year after Capital One encountered a massive data breach, compromising the personal data of 100 million consumers in the United States and 6 million from Canada. Among the information disclosed by the bank are customer names and addresses.
Apart from the aforementioned information, the 2019 Capital One data breach also revealed the Social Security numbers of approximately 140,000 individuals as well as around 80,000 linked bank account numbers. The suspected hacker points to a former Amazon Web Services Employee notes Reuters.
On Thursday, August 6, 2020, the Office of the Comptroller of the Currency levied the fine for failing to identify and address the risk as the bank overhauled its operations.
In a statement, CNN notes the OCC said they “took these actions based on the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner.”
The OCC also pointed out that the financial institution did not have the proper network security and data loss prevention steps enacted amid the move to a cloud-based storage system.
The OCC also maintained that the Capital One board failed to make the management accountable for the incident, even when the internal auditing department already pointed out areas of concern, states Reuters.
According to CNN, the Federal Reserve has issued a cease and desist order to urge the bank to improve the current risk management system in place. Apart from obligating the bank to pay the said fine, the financial institution is also forced to submit a plan within 90 days detailing the actions it plans to take.
Among the plans, the board of directors is supposed to submit are the internal governance framework, risk testing, and validation processes in accordance with the enhancement of the risk management program, and plans of training employees regarding operational risk.
In response to the fine imposed after the data breach, a company spokesperson for the bank told CNN that “Safeguarding our customers’ information is essential to our role as a financial institution.”
“In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders,” continued the spokesperson.