Capital One Touted the Cloud’s Safety as Hacker Was Breaching It

July 31, 2019 by

Capital One Financial Corp., in recent years, has beat the drum every chance it got: The cloud is cheaper. The cloud is faster. And the cloud is far more secure.

Then a hacker got into the cloud, siphoning off sensitive information for more than 100 million of Capital One’s customers.

That revelation late Monday thrust the third-largest U.S. credit-card lender into the center of the latest massive data breach, and now threatens to upend a technology strategy personally championed by longtime Chief Executive Officer Richard Fairbank. He’s been one of the financial industry’s most vocal proponents for shifting sensitive customer information to outside cloud services — a move that he’s promised would cut costs and offer a suite of other benefits.

“We are now considered one of the most cloud-forward companies in the world,” Fairbank told shareholders in April.

Just weeks before, according to U.S. prosecutors, a hacker began tapping into a vast trove of information from Amazon.com Inc. servers the bank was using. The breach is calling into question the lender’s strategy for reducing technology costs while taking advantage of the cloud’s rapid scalability and burgeoning array of applications.

“The magnitude of this breach is very large,” JPMorgan Chase & Co. analysts led by Richard Shane said in a note to clients. “While it is unclear whether this is directly related to Capital One’s transition to a cloud-based infrastructure,” there is likely to be “renewed concern going forward.”

Capital One’s shares dropped as much as 7.9% Tuesday morning, their biggest intraday decline in almost four years. The slump pared the stock’s advance for the year to 19%, just above the gain for the 68-company S&P 500 Financials Index.

Capital One said that about 100 million U.S. consumers were impacted by the breach. The stolen data, stored on servers rented from Amazon Web Services, was personal information found on card applications, such as names, addresses and dates of birth, and some financial information, including self-reported income and credit scores.

On Monday, authorities arrested and charged Paige A. Thompson, a 33-year-old former Amazon Web Services employee, with computer fraud and abuse. In a complaint filed in Seattle, prosecutors said that Thompson exploited an improperly configured firewall and accessed the data at various times between March 12 and July 17. The bank said it immediately fixed the problem once it was discovered.

Capital One said its expects the incremental costs of the incident to be $100 million to $150 million, mostly expenses tied to providing credit monitoring and legal support. The company has a cyber-risk insurance policy with a $10 million deductible for $400 million in coverage.

“This type of vulnerability is not specific to the cloud,” Capital One said in a statement. “The speed with which we were able to diagnose and fix this vulnerability, and determine its impact, was enabled by our cloud operating model.”

While banks including JPMorgan and Discover Financial Services have been vocal proponents of cloud technology and its ability to lower costs and speed up digital advancements, industry executives have cautioned that sensitive consumer data could be put at risk on the cloud. Bank of America Corp., the second-largest U.S. bank, has been reticent to use the public cloud.

Amazon Web Services is making an aggressive push for growth in the financial industry and is already working with firms including HSBC Holdings Plc, Fidelity Investments, Nasdaq Inc. and Liberty Mutual Group Inc.

“We’re all in on the cloud right now,” Steve Randich, chief information officer at the Financial Industry Regulatory Authority, the U.S. brokerage industry’s main regulator, said at a conference hosted by Amazon Web Services earlier this month at New York’s Javits Center. Virtually all of the regulator’s applications and data are in the public cloud, and its net costs have decreased as a result, he said.

Over the years, Capital One has become something of a poster child for Amazon’s push into financial services for its cloud business. The lender was among the first to publicly acknowledge a partnership with Amazon, and it was the subject of several case studies that Amazon published on how its technology can improve banks’ offerings.

“Capital One selected AWS for its security model,” according to an Amazon Web Services website. “It is using or experimenting with nearly every AWS service to develop, test, build and run its most critical workloads, including its new flagship mobile-banking application.”

Capital One is often considered a leader in banking technology, a history that goes back to its founding by Fairbank in 1988. In recent years, the company has undergone what it calls a “technology transformation” in which it hired thousands of engineers and developed its application programming interface, or API, to share data more easily.

“A lot of how we built our company is not by studying banking, but by forgetting about banking,” Fairbank told investors at a conference last month. The goal is to have a “bank that is empowering your life without having to go visit it every time.”

Fairbank himself has been a critic of other companies’ data breaches. He warned investors in 2017 that a breach of Equifax Inc.’s systems that exposed data for more than 140 million consumers would be costly for his firm.

“These are bad things for card companies because, every time there’s been a breach, I’ve said to our folks, ‘How come card companies end up paying for this and why not the one who did the breach?'” Fairbank said at the time.

–With assistance from Christian Berthelsen.