Capital One fined $80m for data breach

Capital One has agreed to a $80 million fine from US regulators over last year's hack which exposed the personal information of more than 100 million customers and applicants.

The Office of the Comptroller of the Currency (OCC) calculated the fine based on a "failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank's failure to correct the deficiencies in a timely manner".

Capital One revealed last July that a hacker accessed information relating to about 100 million American and six million Canadian customers that was stored on Amazon Web Services cloud servers.

The following month, software engineer Paige Thompson was indicted for wire fraud and computer data theft related to alleged unauthorised intrusion into stored data of more than 30 companies, including Capital One.

According to the indictment, Thomson created scanning software that allowed her to identify customers of AWS who had misconfigured their firewalls, allowing outside commands to penetrate and access their servers.

The US regulator also demanded that Capital One improve its risk management programme and related governance and controls, specifically around cyber security.

Commenting on the fine, Mark Bower, senior vice president at data security specialist comforte AG, said that the signal is very clear: the often referenced shared responsibility cloud model means nothing when it’s your data.

"What’s very surprising about this breach is, per Capital One’s prior announcements, only a fraction of the regulated data was properly tokenised - credit card and SSN data - and the rest accessible under attack," he explained, adding that had tokenisation been applied across the full regulated data set, this breach would have been a non-event.

"This fine is the tip of the iceberg - the true cost of remediation, impact, and the reputational loss is likely to be a lot higher - this may also set the tone for secondary litigation, where cost impact can escalate."

    Share Story:

Recent Stories


Sanctions evasion in an era of conflict: Optimising KYC and monitoring to tackle crime
The ongoing war in Ukraine and resulting sanctions on Russia, and the continuing geopolitical tensions have resulted in an unprecedented increase in parties added to sanctions lists.

Achieving operational resilience in the financial sector: Navigating DORA with confidence
Operational resilience has become crucial for financial institutions navigating today's digital landscape riddled with cyber risks and challenges. The EU's Digital Operational Resilience Act (DORA) provides a harmonised framework to address these complexities, but there are key factors that financial institutions must ensure they consider.

Legacy isn’t the enemy: what FSIs can do to keep their systems up and running
In this webinar we will examine some of the steps FSIs have already taken to rigorously monitor and test systems – both manually and with AI-powered automation – while satisfying the concerns of regulators and customers.

Optimising digital banking: Unifying communications for seamless CX
In the digital age, financial institutions risk falling behind their rivals if they fail to unite fragmented communications ecosystems to deliver seamless, personalised customer experiences.

This FStech webinar sponsored by Precisely explores vital strategies to optimise cross-channel messaging through omnichannel orchestration and real-time customer data access.