U.S. regulators have fined Capital One $80 million for a data breach that exposed the personal information of more than 100 million customers last year.
The fine was announced by the Office of the Comptroller of the Currency (OCC) on Thursday, and is issued in conjunction with a cease and desist order from the Federal Reserve, which dictated several measures that Capital One must take to improve its internal controls related to cybersecurity and data security.
"The OCC took these actions based on the bank's failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank's failure to correct the deficiencies in a timely manner," the OCC wrote in a statement. "In taking this action, the OCC positively considered the bank's customer notification and remediation efforts."
Capital One revealed the breach in July 2019, saying that hackers had accessed the personal information, including Social Security numbers, credit card applications, addresses, credit scores and other data, of 106 million Capital One customers. The perpetrators also accessed the personal data of approximately six million individuals in Canada.
As part of the Fed's cease and desist order, Capital One's board of directors must submit a plan to improve its internal data and security controls within 90 days. The bank must also submit quarterly progress reports to the Fed.
“In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders,” said Capital One in a statement to reporters.
The $80 million fine will be paid to the U.S. Treasury.