Over 100 Million Individuals Affected by Capital One Breach

On July 29, bank and credit card company Capital One announced the discovery of a data breach affecting approximately 100 million customers in the United States and approximately 6 million in Canada. About 140,000 Social Security numbers and 80,000 bank account numbers were compromised, as well as personal information such as names, addresses, birthdays, etc., and “fragments of transactional data from a total of 23 days in 2016, 2017 and 2018.”

The breach brings its $400 million cyber coverage into play. The bank estimates its costs to be between $100 million-150 million, mostly in the form of legal support and credit monitoring for its customers.

The cause? A “configuration vulnerability” in Capital One’s cloud server—that is, the company misconfigured its server. The bank, which has positioned itself as a tech leader in the financial space, is not the first to fall victim to this kind of mistake–about 90% of data breaches are caused by human error. This comes with litigation: Capital One “is being charged with negligence and breach of implied contract, according to the complaint filed in the U.S. District Court for the District of Columbia in Kevin Zosiak et al. v. Capital One Financial Corp. et. al.”

The Equifax breach, which affected approximately 145 million people, was followed by a renewed focus on cybersecurity regulation and fresh questions about how the U.S. government could help address data privacy concerns. The Council will continue to monitor state and federal legislatures in the coming months to see if any regulatory action is taken. New York has already taken notice:  a statement from the NY Department of Financial Services indicated the NYDFS  is “deeply concerned” by the breach and would be “examining [the] matter.”