Capital One fined US$80 million for 2019 data breach

Capital One fined US$80 million for 2019 data breach

Capital One, a leading financial services corporation, has been issued an US$80 million fine by the Office of the Comptroller of the Currency (OCC) after it experienced a data breach in 2019.

A statement from the OCC said: “The OCC took these actions based on the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner.

“In taking this action, the OCC positively considered the bank’s customer notification and remediation efforts. While the OCC encourages responsible innovation in all banks it supervises, sound risk management and internal controls are critical to ensuring bank operations remain safe and sound and adequately protect their customers.”

Mark Bower, SVP Data Security Specialist, comforte AG, said: “The OCC’s Capital One order mirrors how we’ve seen industry regulators rip into ineffective controls over data protection.

“What’s very surprising about this breach is, per Capital One’s prior announcements, only a fraction of the regulated data was properly tokenised (Credit card and SSN data) and the rest accessible under attack. Had tokenisation been applied across the full regulated data set, this breach would have been a non-event.

“The US$80 million fine is the tip of the iceberg. The true cost of remediation, impact and the reputational loss is likely to be a lot higher. This may also set the tone for secondary litigation, where cost impact can escalate.”

Capital One has not responded to Intelligent CISO for comment.

Browse our latest issue

Intelligent CISO

View Magazine Archive