Capital One has agreed to pay an $80 million fine to U.S. regulators over a major hack last year in which authorities say about 100 million credit card applications were illegally accessed.
The Virginia-based bank with a popular credit card business said it has taken steps to tighten security around its customer information even before the July 2019 arrest of the suspected hacker, but under the terms of an order issued by the Office of the Comptroller of the Currency, the bank will be required to take additional steps to show that its computer system has sufficient security.
The Capital One hack was one of the largest data breaches ever to hit a financial services firm. In 2017, the credit-reporting company Equifax disclosed that hackers had stolen the personal information of 147 million people. Equifax reached a $700 million settlement with regulators over that breach.
The comptroller office said in a statement that the Capital One fine was "based on the bank's failure to establish effective risk assessment processes" before it moved a major portion of its computer data to a cloud storage system, "and the bank's failure to correct the deficiencies in a timely manner."
The regulator also said Capital One deserved credit for its customer notification and remediation efforts in the wake of the hack.
"Safeguarding our customers' information is essential to our role as a financial institution," the bank said in a statement. "The controls we put in place before last year's incident enabled us to secure our data before any customer information could be used or disseminated and helped authorities quickly arrest the hacker. In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders."
In July 2019, the FBI arrested Paige Thompson of Seattle on charges that she hacked the bank and bragged about it in online forums. Thompson has pleaded not guilty and is awaiting trial.
When it announced the breach last year, Capital One emphasized that no credit card numbers or log-in credentials were compromised, nor were most Social Security numbers on the affected applications.
Officials have said the bank, which is headquartered in McLean, Va., was alerted to the problem by someone who had been in an online discussion with Thompson. After the tip, the bank quickly confirmed the vulnerability in its system.
Prosecutors say the hacker was able to access about 100 million credit card applications as well as the Social Security numbers of more than 100,000 customers. Officials have said Thompson was arrested before she could disseminate that information to anyone.