The Federal Reserve terminated its 2020 enforcement action against Capital One, related to a breach a year earlier that exposed the data of 106 million customers, the central bank announced Tuesday.
“Safeguarding customer information is a top priority for Capital One. We’re pleased to fully resolve this regulatory matter from 2020,” a spokesperson for Capital One told Cybersecurity Dive. “We are committed to continuing to enhance our high standards of protection for our customers and staying ahead of the evolving threats faced by public and private institutions.”
The move by the Fed comes 10 months after the Office of the Comptroller of the Currency freed the bank from a separate, breach-related consent order, saying Capital One had reached a level of “safety and soundness” no longer requiring extra oversight.
The Capital One spokesperson did not respond to questions about what security changes the financial services organization has made in the last four years.
Capital One paid an $80 million penalty to the OCC for “failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment,” and for failing to fix the deficiencies quickly, the regulator said.
The Fed’s order required Capital One’s board of directors to submit a written plan outlining how it intended to improve its risk management and internal controls for protecting customer data. It did not include a monetary penalty.
Capital One in December 2021, agreed to pay $190 million to settle a class-action lawsuit related to the breach, which compromised roughly 140,000 Social Security numbers and 80,000 account numbers linked to credit card customers, according to bank estimates.
The data, connected to credit card applications filed between 2005 and 2019, included names, postal codes, birth dates and self-reported income. The breach also exposed credit scores, credit limits, balances, payment history and fragmented transaction history from 2016 to 2018, the bank said.
Paige Thompson, a former AWS employee, was convicted in June 2022 of wire fraud and five counts of unauthorized access to a protected computer and damaging a protected computer after a misconfigured firewall allowed her to access the data.
The incident spurred questions as to whether a bank or its cloud provider, AWS, bears responsibility in data breaches. In response to a 2019 inquiry by Sen. Ron Wyden, D-OR, an AWS executive said the onus of the security gaps falls on Capital One.
However, AWS’s role in the breach pushed at least two lawmakers to call for the three leading cloud providers — AWS, Microsoft Azure and Google Cloud — to be considered systemically important financial market utilities.