Skip to content

Capital One breach has risk, technology and legal fallout

Richard Satran  Financial Journalist, Thomson Reuters Regulatory Intelligence

Richard Satran  Financial Journalist, Thomson Reuters Regulatory Intelligence

A hacker attack on Capital One that stole details on 100 million consumers marked the largest ever breach at a big U.S. bank. The case showed both vulnerabilities and advances in cybersecurity.

The obvious lesson is that even the most stringent cyber defense program will always be vulnerable when a trusted insider decides to steal data.

The suspect is a former software engineer who had worked for Capital One’s cloud service provider,, and had access to technical details of the firm. Capital One already faces strong criticism, but unlike some past firms cited for widespread security failures there were mitigating factors for Capital One that make the breach less damaging.

Here are three of the key takeaways:

The Capital One case appears to have less potential for damage than Equifax since its cybersecurity protocols appear to have been relatively sound.

Capital One reported extensive details on its breach in less than two weeks. Equifax waited nearly two months, and two senior Equifax employees were charged with insider trading before the incident was disclosed. The Capital One incident involved an insider using a little known faulty configuration to gain access. By comparison, investigators found that Equifax failed to heed numerous warnings to apply a well-known security patch. Capital One used encrypted “tokens” to render social security numbers and account numbers unusable to potential hackers. Equifax stored them in plain text, exposing 145 million social security numbers.

“A lot of people are probably wondering how bad this breach really is. It’s not as severe as the 2017 Equifax breach,” said Paul Bischoff, privacy advocate with cybersecurity firm Comparitech Ltd. “This data most likely never made it into the hands of criminals other than the employee who stole it, and she was arrested.”

Security experts warned, however, that other unencrypted personal data from Capital One that was compromised could be used in future exploits.

Regulators and lawmakers will review risk disclosures, cyber defenses and remediation.

Cyber defense regulation requires ongoing monitoring of threats, both internal and external. The New York Department of Financial Services, which has the country’s most comprehensive cyber defense regulation, said it is monitoring Capital One, although the bank’s main regulator is the U.S. Comptroller of the Currency. The New York rules require all personal data to be encrypted and that firms perform due diligence on service providers, both of which could pose problems for Capital One.

The bank’s risk disclosures will be reviewed by other regulators. In the recent Facebook case, the Federal Trade Commission levied a $5 billion fine over the social network’s deficient notification to consumers about the use of personal data, and the Securities and Exchange Commission issued a $100 million fine over inadequate risk warnings to investors. As a highly-regulated bank considered a domestic systemically important financial institution, Capital One could also face scrutiny from the Federal Reserve. Two congressional committees have announced hearings on the matter.

Quick action to notify authorities and the public is a top priority for regulators. Capital One appears to have been well prepared with an escalation process when the breach was discovered. In past exploits such as Equifax no hackers were apprehended. The company helped authorities find the suspect in days, and then notified the public with clear details. That could limit damages.

The use of cloud storage will be blamed, but the data breach was caused by a number of factors.

In the finance industry Capital One has been seen as an early mover to the cloud for data storage. Media reports are already drawing the connection between this strategy and the breach. The company has not blamed cloud provider Amazon, but the breach will raise concerns about how gateways to the cloud are secured. Capital One blamed a faulty server configuration, spotted by a “highly sophisticated” one-time insider — the ex-Amazon employee — who was able to exploit the application interface after she left the firm.

Despite the presence of advanced security technology, the hacker attack showed the potential for new exploits that take advantage of “misconfigurations that could be leveraged for exploit” as distributed and networked computing grow more complex, said Tom DeSot, chief information officer of Digital Defense, Inc. “The Capital One breach highlights the need for increased scrutiny of hosted security applications.”

More answers