Capitol One is being slapped with an $80 million dollar fine for its role in a 2019 breach that exposed the data of over 100 million customers. According to a statement issued Thursday by the Office of the Comptroller of Currency (OCC)—the wing of the US Department of Treasury meant to regulate all things banking—Capitol One didn’t just have lax security practices, but it knew they were insufficient and hid its self-made mess from scrutiny for years before the whole thing blew up in its face.
Reading through the OCC’s own investigation that led up to the fine, the results are… unflattering for Capital One, to say the least. Since the bank pivoting to being a cloud-based enterprise in 2015, their own internal audits of these new systems completely glossed over some of the glaring potholes that can come packaged with these sorts of data storage systems. Not only that, but whatever audit details they did pass onto their oversight committee at the time completely failed to “effectively report on and highlight identified weaknesses and gaps,”deliberately or otherwise. On top of all that, the doc points out that for certain security concerns auditors raised, Capitol One’s board “ failed to take effective actions to hold management accountable,” even when they promised they would. Whoops!
In the end, this was the sort of ass-dragging behavior that would result in one of the most high-profile bank heists to date. In 2019, ex-Amazon engineer Paige Thompson snuck through Capital One’s shit security and got her hands on 140,000 Social Security numbers and 80,000 bank account numbers. Since then, the company’s said that it’s “invested significant additional resources into further strengthening our cyber defenses.”
Aside from this, the OCC is also mandating that the banking chain appoint a three-or-more-person “compliance committee” by the end of this month, the majority of whose members can’t be employees of Capitol One or its affiliates—probably since, y’know, they’ve proven themselves to be less-than-proactive in the past. This committee’s set to have meetings every quarter, with the first happening this coming October, when they’re expected to present a full, written plan of how they’re going to keep up with the OCC’s cybersecurity (and the Board’s) standards moving forward.
Of course, $80 million might sound like a lot, but as usual, this is only a fraction of a fraction of a fraction of the company’s overall bottom line—which, as they proudly told investors, reached a record-breaking $28.6 billion for 2019. (Profits have since dipped, but as a result of the global pandemic.) In the end, none of that cash—and none of the fine—is going to make its way to the millions that were actually hit by this corporation’s gross, obvious negligence. Instead, according to the OCC, it’ll be paid to the US Department of Treasury.