Capital One released from consent order related to 2019 data breach

Capital One has finished its time under a consent order imposed in 2020 following a data breach that exposed the personal information of 100 million credit card applicants. The Office of the Comptroller of the Currency announced on Thursday the termination of that order.
David Paul Morris/Bloomberg

Capital One recently received notice from the Office of the Comptroller of the Currency that the bank had achieved a level of "safety and soundness" that no longer required the extra oversight the office imposed on the bank after its 2019 cybersecurity breach.

The OCC and Capital One agreed to a consent order in 2020 that required the bank to pay the Treasury an $80 million fine and form a compliance committee. On a quarterly basis, that committee submitted written progress reports to the government describing the steps the bank had taken to fix the risk management, board accountability and auditing issues that transpired prior to the breach.

On Thursday, the OCC announced it had terminated that original consent order, releasing Capital One from the requirement to provide the quarterly updates.

"The OCC believes that the safety and soundness of the bank and its compliance with laws and regulations does not require the continued existence of the" 2020 consent order, the regulator wrote in the new order, dated Aug. 31.

Capital One did not respond to a request for comment on the termination of the order. An OCC spokesperson declined to provide further comment, as the office does "not comment on specific banks or enforcement actions."

The termination signals the bank has made at least some good on a 2019 apology from Richard Fairbank, the bank's CEO and chairman.

"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," Fairbank said at the time. "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."

Fairbank issued the apology following the arrest of Paige Thompson, a former Amazon Web Services employee who this summer a jury convicted of wire fraud and five counts of unauthorized access to a protected computer.

Among the root causes of the hack was a cloud firewall configuration vulnerability, according to Daniel Mayo, a senior banking analyst for the financial services consultancy Celent. Thompson exploited that security weakness to obtain administrator account credentials that let her  access tens of millions of credit card applications Capital One held.

In the end, Capital One reported that Thompson accessed the personal information of 100 million Americans and 6 million Canadians, which the consumers had provided in credit card applications. The information included names, addresses, postal codes, phone numbers, email addresses, dates of birth and self-reported income.

In addition to the credit card application data, Thompson also accessed the Social Security numbers of roughly 144,700 customers or applicants, the linked bank account numbers of roughly 80,000 secured credit card customers and the Social Insurance numbers of approximately 1 million Canadian customers.

In its 2020 penalty against Capital One, the OCC alleged that the bank failed to appropriately implement certain network security controls, as well as adequate controls for the prevention of data losses. The OCC also found that Capital One's internal audit unit failed to identify numerous weaknesses and gaps in the cloud operating environment, and that the company's board failed to take effective action in response to certain concerns that the internal audit unit did raise.

However, the OCC did say it "positively considered" the bank's customer notification and remediation efforts following the breach.

The episode did not deter Capital One from its cloud migration, which it began in 2015. Scott Blackley, Capital One's chief financial officer, said after the incident the company was "all in on the cloud," repeating a mantra company executives began using before the breach.

"While this incident was regrettable, I do think that we're going to find that we have a number of learnings that are going to make us a stronger and safer environment for data in the future," Blackley said at a 2019 conference.

Mayo said that the main lesson for banks in the episode is that, while cloud is "generally more secure" than on-premises computing solutions, security management and sound coding practices need to extend to the cloud just as they would any IT system, "particularly with respect to how data is used and accessed."

The OCC in 2020 made similar statements. "While the OCC encourages responsible innovation in all banks it supervises, sound risk management and internal controls are critical to ensuring bank operations remain safe and sound and adequately protect their customers," the office said in its announcement of the $80 million fine.

For reprint and licensing requests for this article, click here.
Cyber security Data breaches Cloud hosting Cloud computing
MORE FROM AMERICAN BANKER