The data breach at Capital One, while affecting a large number of individuals (100 million in the United States, 6 million in Canada) so far seems to be having limited consequences for consumers. The attack was the work of one individual; her motive is still unclear but seems more likely to have been publicity than financial gain. An estimated 140,000 Social Security numbers and one million Canadian social insurance numbers were impacted – large numbers but a small portion of the total number of potential victims. Additional personal information was compromised, but no credit card account numbers or log in credentials.
This does not mean there will be no consequences for Capital One. There will be the cost of notification and credit monitoring. At least three class action suits have been filed; even if they are ultimately dismissed (by now plaintiff attorneys seem to have generic complaints, and just fill in their target when news of a breach breaks) there will be large defense costs. State and federal regulators are investigating. One probable question is why Capital One still had information on file from 2005. Compromised information will be available on the dark web. Capital One’s reputation will suffer, not least because it was an outsider tip that led to discovery of the breach. (“What’s in your wallet?” will never have the same meaning as before.)
Since a primary cause of the breach is a misconfiguration in the cloud, organizations must be sure cloud service providers have up to date security procedures, and service agreements properly allocate legal liability. Although AWS has disclaimed liability and their typical service contracts seem to support this, their relationship with Capital One and the fact that the perpetrator is a former AWS employee raises questions.
Finally, this is a reminder that absolute cybersecurity is impossible. We must all be alert.
ABOUT THE AUTHOR
Harry Cylinder, CPCU, ARM has spent nearly fifty years in the insurance industry, the majority of the time as a consultant. He has been employed by The Beacon Group of Companies since 2008, specializing in the review and analysis of property and casualty coverage forms. Mr. Cylinder has been reviewing policy forms as they have evolved over the past decades. In 2008 he published an article in the CPCU Journal which was the first description of cyber insurance coverage for a general insurance audience. Since that time he has regularly written on cyber and other topics for The Beacon Companies’ blog.