The Comptroller of the Currency said in a consent order on Thursday that Capital One had failed in 2015 to implement effective risk management when migrating information technology operations to a service based on the cloud.
He said the bank’s internal audit did not identify “many weaknesses” in its management of the cloud environment and “engaged in unsafe or unfounded practices that were part of a model of misbehavior”.
The consent order says Capital One is committed to resolving the issue. The email to Capital One requesting comment was not immediately returned.
Among the largest of its kind on record, the 2019 breach compromised around 140,000 social security numbers and 80,000 bank account numbers. The accused hacker, former Amazon software engineer Paige Thompson, has pleaded innocent to the breach charges.
Thompson, a transgender woman, is due on trial in February. Her lawyers sought to have her released to a halfway house where she would have better access to mental health care, but the judge in the case denied the request saying she posed a flight risk and a danger to others.
No evidence has emerged that Thompson sought to benefit financially from the hack.