Report on Supply Chain Compliance 3, no. 16 (August 20, 2020)
The Office of the Comptroller of the Currency fined Capital One USD 80 million for inadequate data controls leading to a 2019 data breach and for failing to fix the problems in a timely manner. The breach was one of the largest in history for a big bank, affecting credit card applications and accounts for more than 100 million customers.
The hack, perpetrated by a former Amazon Web Services employee, not only “compromised 106 million credit card applications—including names, addresses, phone numbers, and dates of birth—[but also] 140,000 Social Security numbers and 80,000 bank account numbers.”
The most recent fine was “based on the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner.”
The regulatory body also forced Capital One to sign a consent order requiring the company to provide evidence of improved controls.