The breach of sensitive customer data is a nightmare scenario keeping an ever-greater number of CEOs awake at night. It’s no wonder why, as vulnerabilities in cyber defense are constantly being revealed.
The public became aware of the newest massive data breach on July 29, after a U.S.-based software engineer released the application information of more than 100 million Capital One cardholders on GitHub. Capital One now faces the prospect of litigation and massive costs arising from the breach. The company is currently – and optimistically – estimating at least $150 million in costs.
At least two class action lawsuits were recently filed in the U.S. District Court for the District of Columbia and the U.S. District Court for the Eastern District of Virginia. Both lawsuits allege that Capital One was negligent in protecting the sensitive information of its customers.
Capital One acknowledged that approximately 140,000 Social Security numbers were involved in the incident, as well as 80,000 linked bank account numbers. Hundreds of millions of customers had their names, phone numbers, credit scores and other personal information exposed.
Capital One maintains the application records of cardholder members going back as far as 2005 on an Amazon Web Services cloud server. Paige Thompson, who the FBI arrested on July 29, took advantage of a flaw in Capital One’s firewalls to access the Amazon server cloud information. According to the complaints, the breach occurred months before Capital One became aware of it. Paige Thompson previously worked for Amazon Web Services, although not at the time the breach occurred.
An Amazon spokesperson told the press that the breach did not involve its cloud product, and that the “underlying cloud-based infrastructure” remained intact and performed as designed. The flaw was from a “misconfiguration of the web application.”
According to cybersecurity experts quoted in Newsweek, Amazon Web Services database leaks are common. Researchers often discover and then disclose inadequately protected information on the cloud.
J.P. Morgan Chase and Bank of America alone spend $1.4 billion per year on cybersecurity, for example. The fact that Capital One both failed to properly secure its data and spot when it was breached means Capital One may have a hard time avoiding liability, unless further clarifying details emerge.
According to the complaints, Capital One’s failure to protect the information of its customers constitutes negligence, breach of contract, and a violation of several consumer protection laws. While additional information may yet be revealed, it appears that the misconfiguration occurred on Capital One’s end. It is unclear at this time how Capital One failed to secure its firewall.
The complaints were filed exactly one week after Equifax settled claims arising from its own data breach for $650 million.