The Fed filed a cease and desist order, laying out steps Capital One (COF) must take to improve its risk-management program and internal controls related to cybersecurity and information security. It’s part of consent orders Capital One entered into with the Fed and the Office of the Comptroller of the Currency in response to the incident. The Fed’s action comes in conjunction with an $80 million civil penalty announced Thursday against Capital One by the Office of the Comptroller of the Currency.
In July 2019, Capital One revealed that a hacker had accessed private data for more than 100 million US Capital One customers. The exposed data from the hack included Social Security numbers, credit card applications, home addresses, credit scores, credit limits and balances. The hacker also had access to the personal data of approximately 6 million individuals in Canada, according to the Federal Reserve Board.
The hack marked one of the largest data breaches ever, and among those affected were some of the bank’s most financially vulnerable customers.