The US top banking regulator fined US bank Capital One with $80 million for failing to secure customer data while hosted in the cloud, a security lapse that led to the bank’s massive 2019 security breach that exposed the personal information of more than 100 million Americans.
The fine was announced today by the Office of the Comptroller of the Currency, an independent office and the top banking auditor in the US Department of Treasury.
“The OCC took these actions based on the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner,” the agency said in a press release today.
The Capital One security breach came to light on July 29, 2019.
The breach took place after a former Amazon Web Services (AWS) employee allegedly accessed AWS cloud servers rented by Capital One and downloaded GBs of information containing the personal and financial details of more than 100 million Americans and 6 million Canadians.
The hacker, identified as Paige A. Thompson, was only arrested after bragging about the hack online. A subsequent house search revealed evidence that she might have also downloaded data from 30 other companies.
Despite the hack having happened because of an angry employee at one of its contractors, Capital One was widely panned in the media for failing to detect the unauthorized downloads when they happened and for storing highly sensitive data in an unencrypted format in a public cloud.
Today’s OCC fine comes to confirm that critics were right in their 2019 assessments. Capital One has not issued any public statement in response to the fine.
Thompson is awaiting trial.