On Thursday, August 6th, 2020, leading US wealth regulator – Capital One Financial Corp – was fined with an $80 million penalty for suffering a major breach in its database in 2019. The Capital One data breach exposed confidential information of banks through multiple data security vulnerabilities. The company will pay this heavy fine to the Office of the Comptroller of the Currency, United States. It serves as a punishment to this finance corporation for its failure to identify and manage cyber risks adequately.
This major data breach instance becomes first after Capital One migrated almost all of its technology operations to the cloud. One of the representatives of Capital One bank reassured how protecting customer information has been “essential to our role.” Over the past year, the financial institution has beefed up its data security measures, invested this data breach instance to depths, and invested in advanced resources for bolstering its cyber defenses. The corporation affirms that it has made “substantial progress” to mitigate the statures prescribed in the orders issued by the Office of the Comptroller of the Currency.
The said data breach happened last year, in July, when Capital One was hacked by an anonymous user who extracted personal information such as names and addresses of over 100 million bank account holders in the United States. The data breach also leaked information of over 6 million
Capital One customers from Canada. After investigation, it was revealed that the suspected hacker was a former Amazon Web Services employee. The hacker was able to execute this data breach as Capital One had partnered with Amazon Web Services as its cloud provider and moved a significant portion of its banking data to the AWS cloud in 2019.
The order issued by the Office of the Comptroller of the Currency states that the bank “failed to identify and manage risks,” and its technology transition to cloud storage did not have “sufficient network security.” The order also mentioned how Capital One failed to strengthen its control on data loss prevention, for which it will pay $80 million as a punitive fine.