Use this button to switch between dark and light mode.

Capital One® Data Breach Raises Liability Questions

September 03, 2019 (4 min read)

In the spring of 2019, Capital One® suffered a massive data breach that affected more than 100 million of its customers. Personal information compromised in the breach includes physical addresses, phone numbers, email addresses, self-reported income, credit histories and credit scores. Capital One reported that sensitive personal information, including 140,000 social security numbers and 80,000 bank accounts, was also stolen.

The suspected hacker behind the breach is Paige Thompson, a 33-year-old Seattle-based software engineer and former Amazon Web Services, Inc employee. Thompson was arrested by the FBI, which had been investigating her online activity in forums, where she bragged about her hacking work.

How Big Was the Capital One Data Breach?

When news of the Capital One breach reached the public in August 2019, it came days after the announcement of a preliminary settlement for US consumers affected by the 2017 Equifax® data breach. That breach, which dominated headlines for months, affected more than 147 million customers. The settlement has been valued at more than $1.5 billion, and includes cash compensation of up to $505 million. Costs include credit monitoring and assistance with incidents of identity fraud.

 Earlier this year, meanwhile, Yahoo!® struck a comparatively cheaper $117.5 million settlement with millions of users whose email addresses and other personal information were stolen in a trio of breaches at the internet giant. Yahoo was accused of being slow to disclose three data breaches that affected some three billion accounts from 2013 to 2016. The settlement included $55 million for victims’ out of pocket expenses, $24 million for two years of credit monitoring, $30 million for legal fees and $8.5 million for other expenses. It covers 194 million people in the United States and Israel, who collectively hold nearly 900 million Yahoo accounts.

 So, two questions remain:

  1. Will Capital One’s ultimate liability be closer to Equifax’s or Yahoo’s?
  2. As for Capital One stakeholders, will the response to this breach resemble the type of action (or lack thereof) the public witnessed with Equifax and Facebook, up and until the settlements? 

Estimating Capital One’s Liability

Capital One is betting on the latter. The financial services provider has told investors that it expects the cost of the breach to end up ranging from $100 and $150 million between customer notifications, credit monitoring and other legal costs. And certainly, there is some reason to see it as being qualitatively different from the Equifax hack. Unlike the Capital One and Yahoo breaches, the breach at Equifax exposed the information of individuals who had not voluntarily given the company their information (barring the relative few who had signed up for Equifax’s credit monitoring). The Equifax breach is also different in that it involved the theft of 14.5 million social security numbers. Only a limited number of social security numbers were exposed in the Capital One case.

Another potential factor in Capital One’s favor is the apparent lack of damages from Ms. Thompson’s hack. While she may have bragged about her exploits in chat rooms, Capital One has said that it doesn’t believe the information she compromised was disseminated or used for fraud. While Capital One has already promised to provide free credit monitoring and identity protection to those affected, the breach may not give rise to voluminous (and expensive) cases of actual identity theft. This is also troubling because statements to this effect are always premature to make, given that the intrusion took place in March 2019 but wasn’t discovered until August 2019.

One J.P. Morgan™ analyst has endorsed the view that all is well at Capital One despite the enormous breach, telling clients that “We believe [Capital One] continues to benefit from a benign credit environment and highly profitable loan book.” The credit rating agency Fitch®, for its part, also says that it expects the financial impact of the breach to be “manageable.”

That does not mean that Capital One, which is already facing class action litigation, is out of the woods. An estimate by one Morgan Stanley® analyst puts Capital One’s price tag between $100 million and $500 million, a higher estimate than the bank’s. While few social security numbers were exposed, the sheer magnitude of customers that had their personal information stolen could subject Capital One to additional regulatory fines and state settlements. Some of the fines, however, could be covered by Capital One’s cyber insurance policy. The policy covers up to $400 million following a $10 million deductible.

Of course, the cost of any settlements and fines do not include additional costs for enhancing the company’s security measures moving forward. Yahoo agreed to spend $306 million between 2019 and 2022 on information security. The Equifax settlement requires Equifax to spend at least $1 billion over the next 5 years to overhaul its data security.

 It remains to be seen what the legal and financial ramifications of the Capital One breach will be, but they could possibly be higher than the bank currently estimates. The Equifax and Yahoo cases highlight that costs can quickly add up, especially after class suit settlements that seek to provide financial reparations for victims and security enhancements for consumers moving forward.

Products or services may be trademarks or registered trademarks of their respective companies.