Business

Bank regulators crack down on Capital One after its massive data breach

The US government and Federal Reserve on Thursday took action against Capital One in response to the bank's massive 2019 data breach.

Posted Updated

By
Clare Duffy
, CNN Business
CNN — The US government and Federal Reserve on Thursday took action against Capital One in response to the bank's massive 2019 data breach.

The Fed filed a cease and desist order, laying out steps Capital One must take to improve its risk-management program and internal controls related to cybersecurity and information security. It's part of a consent order Capital One entered into with the agency in response to the incident. The Fed's action comes in conjunction with an $80 million civil penalty announced Thursday against Capital One by the Office of the Comptroller of the Currency.

In July 2019, Capital One revealed that a a hacker had accessed private data for more than 100 million US Capital One customers. The exposed data from the hack included Social Security numbers, credit card applications, home addresses, credit scores, credit limits and balances. The hacker also had access to the personal data of approximately 6 million individuals in Canada, according to the Federal Reserve Board.

The hack marked one of the largest data breaches ever, and among those affected are some of the bank's most financially vulnerable customers.

"The OCC took these actions based on the bank's failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank's failure to correct the deficiencies in a timely manner," the Comptroller's office said in a release Thursday.

Capital One said that controls put in place prior to the hack allowed the company to secure customers' data before it could be used or disseminated, and helped law enforcement arrest the hacker.

"Safeguarding our customers' information is essential to our role as a financial institution," a Capital One spokesperson said in a statement to CNN Business. "In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders."

The bank said it will continue to work closely with regulators to ensure it meets the highest standards of protection for its customers.

--This is a developing story and will be updated. Check back for more.

Copyright 2024 by Cable News Network, Inc., a Time Warner Company. All rights reserved.