Capital One Financial (NYSE:COF)
Historical Stock Chart

From Oct 2019 to Oct 2024

By Robert McMillan 

Banks have joined other companies in the rush to embrace cloud computing after hanging back because of early security concerns. But a high-profile data breach at one of the cloud's top proponents could reignite debate among financial institutions about using such vendors.

Capital One Financial Corp., the fifth-largest U.S. credit-card issuer, said Monday that information of roughly 106 million card customers was exposed in one of the largest data breaches of a big bank.

The data was stored on Amazon.com Inc.'s cloud, according to a federal criminal complaint and people familiar with the matter. The avenue of entry, the companies and investigators said, was a poorly configured firewall -- a mechanism designed to wall off privately operated digital systems -- that a hacker breached.

Cloud computing has boomed as companies have increasingly turned to providers such as Amazon and Microsoft Corp. to do the work of configuring computers inside their own data centers. The processing power of those servers and storage devices is then rented out to cloud customers, who pay depending on how much work the computers do.

Capital One was an early adopter of cloud-computing among financial institutions as many other banks hesitated to move customer data out of their data centers. But the global cloud business has expanded -- including among banks -- as companies such as JPMorgan Chase & Co. and Bank of America Corp. became converts. That has heightened the stakes from the Capital One breach for the broader financial-services and cloud-computing industries.

By 2023, banks globally are forecast to spend more than $53 billion on public cloud infrastructure and data services, up from $24.3 billion this year, according to market research firm International Data Corp.

The disclosure of the breach has caused a behind-the-scenes scramble at several financial institutions to understand what happened at Capital One, according to a person familiar with the discussions.

"Everyone who is migrating to the cloud is really going to look at their controls," said Sameer Malhotra, the chief executive of TrueFort Inc., a company that provides cloud security services. However, he added, "I don't think it's going to change their intention to move to the cloud."

Although court documents indicate a Capital One error led to the breach, the alleged hacker, Paige A. Thompson, is a former employee at Amazon's web services unit, the world's biggest cloud-computing business. That raises questions about whether she used knowledge acquired while working at the cloud-computing giant to commit her alleged crime, said Chris Vickery director of cyber-risk research at the security firm UpGuard Inc.

A lawyer representing Ms. Thompson didn't return messages seeking comment.

An Amazon spokesman attributed the hack to a firewall issue, not a cloud-computing problem.

Cloud computing caught on in part because it allowed software engineers to sidestep cumbersome security restrictions and sluggish development processes that made companies' in-house technologies clunky. But the ease and speed of opting instead to fire up a server through Amazon Web Services has led to many cloud misconfiguration problems that can leave sensitive data exposed to unauthorized access.

"It's easy to misconfigure things and it's easy to have catastrophic results from those misconfigurations," Mr. Vickery said.

As the list of companies that have inadvertently exposed data on the cloud has grown, Amazon has taken steps to minimize that risk. In 2017, the company introduced a series of technologies to detect such configuration problems and make them easier to fix.

Capital One started working with AWS in 2014 and has since become a marquee customer. In 2015, Capital One Chief Information Officer Rob Alexander said "the financial services industry attracts some of the worst cybercriminals. So we worked closely with the Amazon team to develop a security model, which we believe enables us to operate more securely in the public cloud than we can even in our own data centers."

Capital One said its cloud use wasn't the problem. "This type of vulnerability is not specific to the cloud. The elements of infrastructure involved are common to both cloud and on-premises data center environments," the bank said. It added that its use of the cloud helped it respond to the breach faster. The company learned of the incident on July 19 and notified affected customers 10 days later.

Over the years, Capital One has developed systems to prevent data from being inadvertently released to the wider internet, according to a person familiar with the company's operations.

"Any company that has or is looking to move into the cloud must ensure that their security strategy is developed alongside of that transformation," said Vincent Liu, a partner with the security-consulting firm Bishop Fox.

Mr. Liu, whose company assesses security vulnerabilities on corporate networks says, that while configuration problems happen in corporate data centers as well, he often finds that "basic cyber hygiene gets thrown out the window" as companies move to new technologies such as the cloud.

The financial stakes for companies to safeguard customer information are quickly rising. Credit-reporting company Equifax Inc. struck a $700 million settlement this month with state and federal authorities concerning its 2017 data breach that exposed information on some 150 million Americans. In Britain, Marriott International Inc. faces a potential GBP99.2 million ($102.5 million) fine over a data breach. The same U.K. regulator this month also proposed a record GBP183.4 million fine following a hack at British Airways last year.

Capital One said it expected to spend up to $150 million to cover breach-related costs, largely for issues such as notifying customers and paying for credit monitoring. The bank didn't discuss potential fines.

Write to Robert McMillan at Robert.Mcmillan@wsj.com

(END) Dow Jones Newswires

July 30, 2019 16:10 ET (20:10 GMT)