The Capital One hack was one of the largest data breaches ever to hit a financial services firm. In 2017, the credit-reporting company Equifax disclosed that hackers had stolen the personal information of 147 million people. Equifax reached a $700 million settlement with regulators over that breach.
The OCC said in a statement that the Capital One fine was “based on the bank’s failure to establish effective risk assessment processes” before it moved a major portion of its computer data to a cloud storage system, “and the bank’s failure to correct the deficiencies in a timely manner.”
The regulator also said Capital One deserved credit for its customer notification and remediation efforts in the wake of the hack.
“Safeguarding our customers’ information is essential to our role as a financial institution,” the bank said in a statement. “The controls we put in place before last year’s incident enabled us to secure our data before any customer information could be used or disseminated and helped authorities quickly arrest the hacker. In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders.”
In July 2019, the FBI arrested Paige A. Thompson of Seattle, alleging that she hacked the bank and then bragged about it in online forums. Thompson has pleaded not guilty and is awaiting trial.
When it announced the breach last year, Capital One emphasized that no credit card numbers or log-in credentials were compromised, nor were the vast majority of Social Security numbers on the affected applications.
Officials have said the bank, which is headquartered in McLean, Va., was alerted to the problem by someone who had been in an online discussion with Thompson. After the tip the bank was quickly able to confirm the vulnerability in its system.
Prosecutors say the hacker was able to access roughly 100 million credit card applications as well as the Social Security numbers of more than 100,000 customers. Officials have said Thompson was arrested before she could disseminate that information to anyone.