$80 Million Penalty on Capital One for July Data Breach
Capital One Financial Corporation is an American bank specializing in credit cards, auto loans, banking and savings accounts. It has been charged with $80 million owing to a data breach that happened in July last year. The Office of the Comptroller of the Currency (OCC) informed about the fine in a Press Release.
The OCC has fined the bank as a Civil Money penalty. The OCC has explained in the release that its actions are based on “bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner.” It also said that it has taken into favourable consideration the remedial steps that Capital One took after the incident was identified. The OCC also said that the penalty had been imposed against the violation of “Interagency Guidelines Establishing Information Security Standards,” that all US banks must comply with.
What happened
In July 2019, the hacker hacked into the system of Capital One and stole data of the customers of the bank. The hacker obtained about 140,000 Social Security Numbers along with 80,000 linked bank account numbers of the credit card customers of the Capital One Bank. One million Social Insurance numbers of Canadian customers were also affected.
On their website, Capital one has admitted that the breach has affected more than 100 million users in the US and approximately 6 million users in Canada. Most of the information accessed by the hacker was on customers that had applied for credit cards between 2005 and 2019. This information also included the personal information of the customers.
The bank claims to have notified the affected customers. The vulnerability that led to the breach was fixed immediately, and the bank officials cooperated with the Federal law enforcement agencies to find the perpetrator.
The culprit, a 33-year-old woman, Paige Thompson was arrested in July last year and was charged with computer fraud and abuse which can lead up to 5 years in prison and a fine of up to $250,000. The data was recovered successfully by the Government, and there was no evidence of any fraud using the data.
Paige has worked with Amazon Web Services, a cloud hosting company as a computer software engineer until 2016. The Capital one bank employs the services of the said company. She had exploited a misconfigured web application firewall in the bank server and stole the data. However, as the resorts claim, no harm has been done to Amazon’s servers and database. The hack happened in march last year but was identified in July.
Owing to the enormous consequences such data breaches can lead to. The OCC has advised the Capital One bank to submit a plan in 90 days about how it intends to improve the cybersecurity features of the firm to avoid such instances in the future.
