Back in 2019, Capital One released details of a massive data breach that compromised the personal information of over 100 million consumers in the U.S. and Canada. Now, it’s being forced to pay the piper for its mistakes.
The Office of the Comptroller of the Currency (OCC) announced this week that Capital One will pay an $80 million civil penalty due to the breach. The Federal Reserve Board is also requiring the company to upgrade its internal risk management systems, as well as its cybersecurity and information security practices, to prevent a similar breach from happening in the future.
“The OCC took these actions based on the bank's failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank's failure to correct the deficiencies in a timely manner,” the OCC stated.
At the time, the scope of the Capital One breach was compared to the infamous Equifax breach of 2017, which compromised the personal data of nearly 150 million Americans.
The exposed information included names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. The hacker responsible for the breach also accessed 140,000 Social Security numbers and 80,000 linked bank account numbers linked to secured credit card customers. Nearly 1 million Canadian Social Insurance numbers were also compromised.