Capital One Moves Past 2019 Hacking Incident

The Office of the Comptroller of the Currency Lifts Reporting Requirement
Capital One Moves Past 2019 Hacking Incident

U.S. federal financial regulators lifted an oversight requirement on credit card giant Capital One just as the retail bank was close to finalizing a class action lawsuit tied to its 2019 hacking incident.

See Also: Now OnDemand | C-Suite Round-up: Connecting the Dots Between OT and Identity

The Office of the Comptroller of the Currency said on Aug. 31 that cybersecurity at the bank has improved since convicted hacker Paige A. Thompson downloaded 1.75 terabytes of sensitive data pertaining to approximately 100 million North American customers from Capital One's cloud computer storage accounts at Amazon Web Services.

The office fined Capital One $80 million and ordered the bank to improve its cloud information security program. The Virginia-headquartered company prides itself on a technology-forward approach and completed the migration of its data centers into the cloud in 2020.

Prosecutors say Thompson, 36, who is a former coder for Amazon, scanned the AWS cloud searching for misconfigured accounts and found 30 - including Capital One. She is set to be sentenced on Oct. 4 after a jury convicted her in June of wire fraud and five counts of unauthorized access to a protected computer and damaging a protected computer.

The August order from the comptroller lifts a requirement that Capital One's board-appointed compliance committee report quarterly to regulators detailing efforts to enhance cybersecurity.

Plaintiffs suing the company in a putative class action - whose $190 million settlement a federal judge gave final approval earlier this month - asserted that Capital One wasn't just an unlucky victim of hacking but neglected to adequately invest in data security. The company failed to realize it had been breached for four months and then only became aware because it received a tip. "Hello there, There appears to be some leaked s3 data of yours in someone's github/gist," someone emailed the company in July 2019.

At the time the comptroller issued its 2020 order, the Federal Reserve also issued a cease and desist order requiring the Capital One board to submit a plan detailing efforts to strengthen risk management oversight.


About the Author

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.