The Federal Reserve announced Tuesday that it had released Capital One from a
The Federal Reserve, which does not provide comment when it terminates orders, declined to comment on the matter. The Office of the Comptroller of the Currency last year said when it took a similar action that the bank had achieved a level of safety and soundness that no longer required the extra oversight the office had imposed.
The consent order between the Federal Reserve and Capital One required the bank to submit progress reports on its efforts to improve its risk management functions, which were not made public. The order also required the bank's holding company to serve as a "source of strength" (meaning source of managerial and financial support) for the bank as it took actions to comply.
"We're pleased to fully resolve this regulatory matter from 2020," a spokesman for Capital One said. "We are committed to continuing to enhance our high standards of protection for our customers and staying ahead of the evolving threats faced by public and private institutions."
Guy Harris and Eric Hoffman joined the company's leadership team to help it manage an industrywide spike in suspect payments.
The spokesman said Tuesday's action resolves all outstanding orders for Capital One with the OCC and Fed. Previously, the bank also settled a class action lawsuit in the matter, agreeing to pay $190 million to the 98 million U.S. consumers affected by the breach.
The 2019 breach stemmed from the actions of Paige Thompson, a former Amazon Web Services employee who a jury convicted last year of wire fraud and five counts of unauthorized access to a protected computer.
Thompson gained access to the compromised data in part thanks to a cloud firewall configuration vulnerability. Thompson exploited that security weakness to obtain administrator account credentials that let her access tens of millions of credit card applications Capital One held. The information in those applications included names, addresses, postal codes, phone numbers, email addresses, dates of birth and self-reported income.
In addition to the credit card application data, Thompson also accessed the Social Security numbers of roughly 144,700 customers or applicants, the linked bank account numbers of roughly 80,000 secured credit card customers and the Social Insurance numbers of approximately one million Canadian customers.