OCC frees Capital One from consent order tied to 2019 breach

Dive Brief:

  • The Office of the Comptroller of the Currency (OCC) terminated a 2020 consent order against Capital One, the agency reported Thursday, determining the bank had reached a level of “safety and soundness” no longer requiring extra oversight in connection with a 2019 data breach .
  • Capital One was ordered to pay an $80 million penalty and form a compliance committee in response to the breach, which affected roughly 106 million accounts and exposed the Social Security numbers of some 140,000 credit card customers.
  • Seattle-based hacker Paige Thompson, a former Amazon Web Services employee, was convicted in June of wire fraud and five counts of unauthorized access to a protected computer and damaging a protected computer after a misconfigured firewall allowed her to access the data. Capital One said it fixed the issue upon discovery. Thompson has not yet been sentenced.

Dive Insight:

With the termination of the consent order, Capital One is no longer required to submit quarterly updates detailing its risk management and auditing practices to the OCC, which it was required to do following the discovery of the hack.

“The OCC believes that the safety and soundness of the bank and its compliance with laws and regulations does not require the continued existence of the [consent order],” the OCC wrote in its termination order, dated Aug. 31.

The consent order was handed down due to the “failure to establish effective risk assessment processes” before Capital One migrated significant operations to the public cloud, and the bank’s “failure to correct the deficiencies in a timely manner.” The OCC did, however, “positively consider” Capital One’s customer notification and remediation efforts following the breach.

Its termination indicates the bank has satisfied the OCC’s risk management requirements and made good on Capital One CEO Richard Fairbank’s 2019 apology.

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” he said. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

Capital One had long positioned itself away from other banks, embracing a public cloud-first strategy, rather than using private clouds and internal firewalls. Fairbank, prior to the hack’s exposure, had called the bank “one of the most cloud-forward companies in the world.”

The incident did not pull Capital One off its cloud course, with the bank closing its final data center as planned in 2020.

A bank spokesperson that year said Capital One, since the breach, had “invested significant additional resources into further strengthening our cyber defenses, and … made substantial progress in addressing the requirements of these orders.”

Capital One was also hit with a cease-and-desist order from the Federal Reserve in conjunction with the OCC’s penalty, requiring the bank’s board of directors to submit a written plan outlining how it would improve its risk management program and internal controls for protecting customers dated

The bank agreed in December to pay $190 million to settle a class-action lawsuit related to the breach but, along with Amazon Web Services (AWS), denied “all liability” in the incident.

The breach

The breach was one of the biggest to hit the financial services sector, affecting 100 million in the US and 6 million in Canada. Thompson accessed data including bank account numbers and credit card balances, as well as identifying information including names and birth dates. A previous employee of Capital One’s cloud hosting company AWS, she’d developed a tool to search for misconfigured AWS accounts and used it to download data from more than 30 entities including Capital One.

Thompson also inserted cryptocurrency mining software on new servers, and directed the income to her personal digital wallet.

She reportedly bragged about the hack in texts and on online forums.

“Ms. Thompson used her hacking skills to steal the personal information of more than 100 million people, and hijacked computer servers to mine cryptocurrency,” US Attorney Nick Brown said during Thompson’s seven-day jury trial. “Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself.”

“She wanted data, she wanted money, and she wanted to brag,” Assistant US Attorney Andrew Friedman said in closing arguments.

Capital One wasn’t the only financial services company subject to a data breach in 2019. That May, First American Financial Corp. exposed 885 million financial records linked to real estate transactions due to a web design error, and member data for 4.2 million customers at Desjardins, Canada’s largest credit union, was accessed by an unauthorized employee.

Capital One did not return a request for comment by press time.

Leave a Comment