Capital One recently received notice from the Office of the Comptroller of the Currency that the bank had achieved a level of "safety and soundness" that no longer required the extra oversight the office imposed on the bank after its 2019 cybersecurity breach.
The OCC and Capital One agreed to a
On Thursday, the OCC
"The OCC believes that the safety and soundness of the bank and its compliance with laws and regulations does not require the continued existence of the" 2020 consent order, the regulator wrote in the new order, dated Aug. 31.
Capital One did not respond to a request for comment on the termination of the order. An OCC spokesperson declined to provide further comment, as the office does "not comment on specific banks or enforcement actions."
The termination signals the bank has made at least some good on a 2019 apology from Richard Fairbank, the bank's CEO and chairman.
"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," Fairbank said at the time. "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."
Fairbank issued the apology following the arrest of
Among the root causes of the hack was a cloud firewall configuration vulnerability, according to Daniel Mayo, a senior banking analyst for the financial services consultancy Celent. Thompson exploited that security weakness to obtain administrator account credentials that let her access tens of millions of credit card applications Capital One held.
In the end, Capital One reported that Thompson accessed the personal information of 100 million Americans and 6 million Canadians, which the consumers had provided in credit card applications. The information included names, addresses, postal codes, phone numbers, email addresses, dates of birth and self-reported income.
In addition to the credit card application data, Thompson also accessed the Social Security numbers of roughly 144,700 customers or applicants, the linked bank account numbers of roughly 80,000 secured credit card customers and the Social Insurance numbers of approximately 1 million Canadian customers.
In its 2020 penalty against Capital One, the OCC alleged that the bank failed to appropriately implement certain network security controls, as well as adequate controls for the prevention of data losses. The OCC also found that Capital One's internal audit unit failed to identify numerous weaknesses and gaps in the cloud operating environment, and that the company's board failed to take effective action in response to certain concerns that the internal audit unit did raise.
However, the OCC did say it "positively considered" the bank's customer notification and remediation efforts following the breach.
The episode
"While this incident was regrettable, I do think that we're going to find that we have a number of learnings that are going to make us a stronger and safer environment for data in the future," Blackley said at a 2019 conference.
Mayo said that the main lesson for banks in the episode is that, while cloud is "generally more secure" than on-premises computing solutions, security management and sound coding practices need to extend to the cloud just as they would any IT system, "particularly with respect to how data is used and accessed."
The OCC in 2020 made similar statements. "While the OCC encourages responsible innovation in all banks it supervises, sound risk management and internal controls are critical to ensuring bank operations remain safe and sound and adequately protect their customers," the office said in
