A 2019 data breach affecting the personal information of more than 100 million credit card customers and credit card applicants of Capital One has yielded an $80 million civil money penalty for the bank and cease-and-desist orders against both the bank and its holding company, federal regulators said Thursday.
The Federal Reserve entered into a consent cease-and-desist order with the holding company, Capital One Financial Corporation of McLean, Va., that requires the firm to enhance its risk-management program and related governance and controls, specifically around cybersecurity and information security. Meanwhile, Capital One N.A. and Capital One Bank N.A. (USA) – referred to together as the “Bank” – have signed a C&D order with the Office of the Comptroller of the Currency (OCC) and agreed to pay an $80 million CMP.
The OCC, in its orders, stated that in or around 2015, the bank failed to establish effective risk assessment processes prior to migrating its information technology operations to the cloud operating environment. It said the bank also failed to establish appropriate risk management for the cloud operating environment, including appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts.
The orders also cite failures in the bank’s internal audit to identify control weaknesses and gaps in the cloud operating environment and the institution board’s failure to take effective actions to hold management accountable for the issues that the audit did raise.
“By reason of the foregoing conduct, the Bank was in noncompliance with 12 C.F.R. Part 30, Appendix B, “Interagency Guidelines Establishing Information Security Standards,” and engaged in unsafe or unsound practices that were part of a pattern of misconduct,” the OCC said in the CMP order. It said the bank has begun to address the issues raised.
The OCC said in taking action, it “positively considered the bank’s customer notification and remediation efforts,” it said in a release.