Capital One Bank has been fined $80 million by the Office of the Comptroller of the Currency for its failures that resulted in a data breach that compromised the personal information of more than 100 million of the bank’s customers.
A former employee of Amazon Web Services has been charged in the hack, and remains in jail pending trial, which is scheduled to start in February.
Considered to be one of the largest data breaches of its kind, the Social Security numbers of more than 140,000 individuals were compromised, as was the bank account numbers for 80,000 of Capital One’s customers.
For failing to “establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner,” the OCC levied the fine.
The hack spotlighted the importance of maintaining proper security protocols and policies and procedures when protecting data that is stored in the cloud. That so much information could be uncovered by one individual should be a cautionary tale to anyone who uses the cloud to store and access data of any kind. The OCC cited Capital One for failing to “establish appropriate risk management for the cloud operating environment,
including appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts.” Even an internal audit conducted by the lender failed to identify the “numerous” control weaknesses in the company’s platform.
“Safeguarding our customers’ information is essential to our role as a financial institution,” Capital One said in a statement. “In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders.”