Capital One, the 5th largest US credit card issuer, confirmed on Monday that a hacker accessed the personal information of around 106m card customers & applicants, in one of the largest data breaches of a big “bank”.
The bulk of the exposed data related to information submitted by customers and small businesses that applied for Capital One credit cards between 2005 & early 2019. It appears that the breach occurred as long ago as late March 2019, and that it was found by a so called white hat hacker, who emailed Capital One about the leak.
Capital One was an enthusiastic adaptor of the cloud for data storage, with the process of shifting all data to AWS due to be completed by 2020.
The data hacked apparently included social security numbers, bank account numbers, credit scores & payment histories but not credit card numbers.
Analysis and Comments
There was some early speculation that as the hacker had previously worked at AWS, that the hack might have come from there, but more recent filings by the FBI suggest that the Capital One data breachwas the result of a configuration vulnerability in the Capital One system.
The Capital One breach came just days after credit reporting agency Equifax announced a c. $700m settlement with a number of US government agencies regarding their data breach FTC blog on Equifax settlement. The settlement includes a sum of up to $425m for the c. 147m customers that were potentially impacted by the breach announced in Sept 2017.
Capital One was quoted as saying that they would make provision for costs of c. $100-$150m in 2019 to cover the notification of customers, credit monitoring & technology & legal costs. Although if the Equifax settlement is anything to go by this might not be all they end up spending.
According to the FT, news of the breach sent the shares of Capital One down 5.9% – a big move but not massive. This suggests to us that some investors are starting to view these breaches and the subsequent costs and fines, as just being a “cost of doing business”.
This approach may end up being risky. In the US, there have been increasing calls for more regulation of the way financial institutions protect their customers data Credit agencies must change how they manage data. Some commentators have drawn parallels with the European GDPR structure, where penalties of up to 4% of global turnover (up to E20m) can be imposed for breaches in processes around how client data is handled EU GDPR rules. In addition, much larger fines, such as the notice of intent to fine BA for a large data breach in 2018 ICO to fine BA £183m.
Consumers are increasingly looking to transact online – as more industries go digital, especially via the cloud, this is an issue that is going to take up more investor attention.