Skip to main content
close search
site logo
Dive Brief

Capital One freed from consent order tied to 2019 breach

The Office of the Comptroller of the Currency determined the bank had reached a level of “safety and soundness” no longer requiring extra oversight regarding a leak of 106 million customers’ data.

Published Sept. 20, 2022
Gabrielle Saulsbery's headshot
Reporter
The Capital One flag flies over its headquarters March 13, 2006 in Mclean, Virginia.
Capital One flag Mark Wilson via Getty Images

First published on

Banking Dive

Dive Brief:

  • The Office of the Comptroller of the Currency (OCC) terminated a 2020 consent order against Capital One, the agency reported Thursday, determining the bank had reached a level of “safety and soundness” no longer requiring extra oversight in connection with a 2019 data breach.
  • Capital One was ordered to pay an $80 million penalty and form a compliance committee in response to the breach, which affected roughly 106 million accounts and exposed the Social Security numbers of some 140,000 credit card customers.
  • Seattle-based hacker Paige Thompson, a former Amazon Web Services employee, was convicted in June of wire fraud and five counts of unauthorized access to a protected computer and damaging a protected computer after a misconfigured firewall allowed her to access the data. Capital One said it fixed the issue upon discovery. Thompson has not yet been sentenced.

Dive Insight:

With the termination of the consent order, Capital One is no longer required to submit quarterly updates detailing its risk management and auditing practices to the OCC, which it was required to do following the discovery of the hack.

"The OCC believes that the safety and soundness of the bank and its compliance with laws and regulations does not require the continued existence of the [consent order]," the OCC wrote in its termination order, dated Aug. 31.

The consent order was handed down due to the “failure to establish effective risk assessment processes” before Capital One migrated significant operations to the public cloud, and the bank’s “failure to correct the deficiencies in a timely manner.”

The OCC did, however, “positively consider” Capital One’s customer notification and remediation efforts following the breach.

Its termination indicates the bank has satisfied the OCC’s risk management requirements and made good on Capital One CEO Richard Fairbank’s 2019 apology.

"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” he said. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."

Capital One had long positioned itself away from other banks, embracing a public cloud-first strategy, rather than using private clouds and internal firewalls. Fairbank, prior to the hack’s exposure, had called the bank “one of the most cloud-forward companies in the world.” 

The incident didn’t pull Capital One off its cloud course, with the bank closing its final data center as planned in 2020.

A bank spokesperson that year said Capital One, since the breach, had “invested significant additional resources into further strengthening our cyber defenses, and ... made substantial progress in addressing the requirements of these orders.”

Capital One was also hit with a cease-and-desist order from the Federal Reserve in conjunction with the OCC’s penalty, requiring the bank’s board of directors to submit a written plan outlining how it would improve its risk management program and internal controls for protecting customer data.

The bank agreed in December to pay $190 million to settle a class-action lawsuit related to the breach but, along with Amazon Web Services (AWS), denied “all liability” in the incident.

The breach

The breach was one of the biggest to hit the financial services sector, affecting 100 million in the U.S. and 6 million in Canada. Thompson accessed data including bank account numbers and credit card balances, as well as identifying information including names and birth dates. A previous employee of Capital One’s cloud hosting company AWS, she’d developed a tool to search for misconfigured AWS accounts and used it to download data from more than 30 entities including Capital One.

Thompson also inserted cryptocurrency mining software on new servers, and directed the income to her personal digital wallet.

She reportedly bragged about the hack in texts and on online forums.

“Ms. Thompson used her hacking skills to steal the personal information of more than 100 million people, and hijacked computer servers to mine cryptocurrency,” U.S. Attorney Nick Brown said during Thompson’s seven-day jury trial. “Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself.”

“She wanted data, she wanted money, and she wanted to brag,” Assistant U.S. Attorney Andrew Friedman said in closing arguments.

Capital One wasn’t the only financial services company subject to a data breach in 2019. That May, First American Financial Corp. exposed 885 million financial records linked to real estate transactions due to a web design error, and member data for 4.2 million customers at Desjardins, Canada’s largest credit union, was accessed by an unauthorized employee.

Capital One did not return a request for comment by press time.

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Breaches
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell