Capital One has agreed to pay $80 million to settle federal bank regulators’ claims that it lacked proper cybersecurity protocols, more than a year after a Seattle-based software engineer hacked into a cloud server and stole customers’ social security numbers, bank account information and credit card applications, regulators said Thursday.
The Office of the Comptroller of the Currency, which oversees large U.S. banks, said in a regulatory filing that the bank had failed to establish proper risk assessment procedures in 2015 after it began using cloud storage technology. Later, its board failed to hold the managers in charge of the area accountable for their neglect.
In addition to the civil penalty, Capital One must come up with plans to improve its security procedures within the next three months, according to a separate regulatory filing by the Federal Reserve, which also has authority over the bank.
The hacker was Paige Thompson, a former Amazon employee who broke into a server hosted by Amazon and then boasted about it in several internet forums. Ms. Thompson was arrested in July 2019 and charged with one count of computer fraud and abuse. Her trial is scheduled to begin in February.
Prosecutors say Ms. Thompson stole data relating to more than 100 million Capital One customers, including 140,000 Social Security numbers and 80,000 bank account numbers. The bulk of the information taken involved credit-card applications.
Tatiana Stead, a Capital One spokeswoman, said controls put in place before the hack had allowed the bank to secure customer information before it could be used or disseminated.
“In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders,” she said.