Capital One, one of the top five credit card issuers by balances in the US, has been fined $80m and ordered to improve internal controls after regulators identified a string of failings that allowed hackers to obtain the personal data of more than 106m customers and credit card applicants last year.
The Office of the Comptroller of the Currency said the civil penalty and other sanctions reflected “the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud”, as well as the bank’s failure to quickly correct the deficiencies.
The data breach exposed names, addresses, phone numbers, self-reported income, credit scores and payment history, as well as some people’s social security numbers.
It has become a cautionary tale for banks migrating their data from their own physical IT to the kind of virtual clouds that the Capital One data was hacked from.
Banks across the globe have embraced cloud solutions offered by the likes of Amazon, Google and Microsoft, since it allows them to access server capacity when they need it, making it more efficient than running their own sites. Some also argue that the new system is more secure than traditional approaches, since the cloud providers are enormous technology companies with sophisticated cyber security measures.
“While the OCC encourages responsible innovation in all banks it supervises,” the regulator added in its statement on Thursday, “sound risk management and internal controls are critical to ensuring bank operations remain safe and sound and adequately protect their customers.”
The OCC said Capital One’s internal auditors “failed to identify numerous control weaknesses and gaps in the cloud operating environment” in the years after the bank began migrating data to the cloud in 2015.
Capital One’s board “failed to take effective action” on concerns that were raised, the OCC added. The bank “neither admits nor denies” those findings, according to the OCC’s consent order.
As well as the fine, the OCC ordered Capital One to produce a written plan for improving how it oversees data held on the cloud, along with other proposals to manage risk and improve internal auditing.
The Federal Reserve also ordered Capital One to submit written plans to strengthen its risk management process, internal controls and risk auditing within 90 days. The bank must submit written progress reports to the Fed every quarter.
“In the year since the incident, we have invested significant additional resources into further strengthening our cyber defences, and have made substantial progress in addressing the requirements of these orders,” Capital One said.
Paige Thompson, who formerly worked at Amazon Web Services, is set to stand trial for the hack in February 2021. She has pleaded not guilty.
Additional reporting by Kadhim Shubber in Washington
Get alerts on Capital One Financial Corp when a new story is published