Capital One is facing a penalty for its giant 2019 data breach, although it might not be as serious as you’d expect. The Wall Street Journal (via The Verge) reports that the Office of the Comptroller of the Currency has fined Capital One $80 million over the security failings that led to the breach. The bank didn’t create an “effective” risk assessment system before moving key IT systems to the public cloud, the OCC said, and didn’t address the flaws in a “timely manner.”
The alleged intruder, Paige Thompson, is believed to have taken advantage of a “misconfigured” firewall for a web app to steal data that compromised about 100 million people in the US, plus another 6 million in Canada. Her trial starts in 2021.
A bank spokesperson said the company had since poured “significant” resources into bolstering its security and otherwise addressing orders from both the OCC and the Federal Reserve.
The payout isn’t small, but it might not make many victims happy. The breach exposed sensitive details like addresses, reported income and (in some cases) account numbers and credit scores. Capital One did provide free credit monitoring and identity theft protection after the incident, but the payout still amounts to about 75 cents per person affected in North America. Like the Equifax breach, the compensation may seem small compared to the security precautions and stress inflicted on affected people.