Capital One Moves Past 2019 Hacking IncidentThe Office of the Comptroller of the Currency Lifts Reporting Requirement
U.S. federal financial regulators lifted an oversight requirement on credit card giant Capital One just as the retail bank was close to finalizing a class action lawsuit tied to its 2019 hacking incident.
The Office of the Comptroller of the Currency said on Aug. 31 that cybersecurity at the bank has improved since convicted hacker Paige A. Thompson downloaded 1.75 terabytes of sensitive data pertaining to approximately 100 million North American customers from Capital One's cloud computer storage accounts at Amazon Web Services.
The office fined Capital One $80 million and ordered the bank to improve its cloud information security program. The Virginia-headquartered company prides itself on a technology-forward approach and completed the migration of its data centers into the cloud in 2020.
Prosecutors say Thompson, 36, who is a former coder for Amazon, scanned the AWS cloud searching for misconfigured accounts and found 30 - including Capital One. She is set to be sentenced on Oct. 4 after a jury convicted her in June of wire fraud and five counts of unauthorized access to a protected computer and damaging a protected computer.
The August order from the comptroller lifts a requirement that Capital One's board-appointed compliance committee report quarterly to regulators detailing efforts to enhance cybersecurity.
Plaintiffs suing the company in a putative class action - whose $190 million settlement a federal judge gave final approval earlier this month - asserted that Capital One wasn't just an unlucky victim of hacking but neglected to adequately invest in data security. The company failed to realize it had been breached for four months and then only became aware because it received a tip. "Hello there, There appears to be some leaked s3 data of yours in someone's github/gist," someone emailed the company in July 2019.
At the time the comptroller issued its 2020 order, the Federal Reserve also issued a cease and desist order requiring the Capital One board to submit a plan detailing efforts to strengthen risk management oversight.