Capital One: Wake Up Call or Snooze Button?

1 August 2019

This week’s data breach at Capital One was not shocking. Data breaches have been occurring for so many years at such a frequency that consumers have been numbed to the negligence that companies like Facebook, Equifax, Target, Capital One and others have shown towards consumer data. Despite Senate hearings, some regulation and public outcry, data breaches still occur, dumping massive amounts of sensitive personally identifiable information. The narrative always seems to be the same: a breach happens, the company does not report the breach in a timely manner, then the CEO of the company says that the attack was done by “sophisticated” attackers, only to find upon investigation that a security best practice was simply ignored. In more flagrant instances, such as the case with Panera Bread, a researcher reported the vulnerability responsibly only to be ignored for months leading to a data breach. Recent years have seen an increase in security awareness and responsible disclosure, so why does this continue to happen so frequently?

Corporate information security is not where it needs to be because market incentives for many large companies do not align with consumers’ well-being. Economic hardship as a result of a data breach does not loom over big companies. A simple examination of costs and business models will demonstrate this.

There are some cases where market incentives align to protect consumers. Cloud companies understand that if they suffer a public breach, they will suffer massive economic hardship through a loss of reputation. This realization incentivizes cloud companies to be secure and as a result, consumers are more secure; at least from non-state actors. Obviously, this does not prevent the cloud tenant from misconfiguring a service and subsequently leaking a huge amount of data. A misconfiguration caused the Capital One Breach this week, the Department of Defense’s classified documents leak in 2017 and tens of other corporate and government examples over the years. [1][2]

The majority of companies do not have incentives healthily aligned with consumer protection. Large companies at the center of consumers’ financial lives and our supply chain simply look at data security as a profit/loss equation for the company and ignore the costs to consumers’ privacy. This type of thinking leads to higher profits at the expense of the public.

Examining the infamous Target breach that exposed 70 million credit card numbers in 2013 we can see the real impact of a breach to a national retailer. Target’s annual report states that the breach had a cost of $61 million dollars in 2013, but was offset by a $44 million-dollar insurance payment bringing the actual cost to $17 million dollars. Target’s costs were lowered further by tax incentives which left them at a net cost of $11 million dollars, according to the report. In terms of revenue for 2013, which was $71.2 Billion, this breach accounted for 0.015% of revenue. [3] Revenue for the two years following the breach increased. In terms of cost per record, Target ended up paying only $.16 per record. It is hard to think that these numbers constitute any sort of hardship for Target. Targets 2013 Annual Report summarized this well (emphasis added): [3]

We plan to accelerate a previously planned investment of approximately $100 million to equip our proprietary RED cards and all of our U.S. store card readers with chip-enabled smart-card technology by the first quarter of 2015.

In addition, we may accelerate or make additional investments in our information technology systems, but we are unable to estimate such investments because the nature and scope has not yet been determined. We do not expect such amounts to be material to any fiscal period.

Retailers compete on the retail experience, price and availability. Consumers are not concerned with data security at the point of sale and they should not have to be. Target obviously understands this, since Target did not commit to improving their security stance outside of accelerating an existing plan despite the cost “not being material to any fiscal period”. In other words, improving information security does not represent a significant cost to Target, but the organization is still unwilling to outright commit to additional improvements, even immediately after experienced a breach.

There are situations where the opinion of the consumer does not matter at all because, well, they are not the customer but rather the product. According to former Equifax CEO Richard Smith roughly ten percent of Equifax revenue comes from sales to consumers. As consumers we do not have real control over whether or not our data is ever stored with Equifax or other data brokers. Data brokers are incredibly powerful in people’s lives notably controlling access to housing and credit, two things that every American will need in their life. In this model, consumer’s data is the product and large businesses such as banks are the customers. Senator Jeff Flake (R) when discussing the 2017 breach at Equifax that leaked 147 million sensitive records, makes this point well. Flake states in his opening statement during the Senate Judiciary Subcommittee on Privacy’s interview of former Equifax CEO Richard Smith that:

It [the 2017 breach] happened because data brokers have created an industry wide culture that appears to not prioritize the security of consumer’s information. Traditional data brokers, those who make a profit on buying and selling data to other companies, have very little direct interaction with consumers. They have very little incentive to earn or protect consumer’s trust, so resources are invested in increasing profits and security is apparently treated as an expenditure that needs to be minimized. This of course is unacceptable. [4]

To quantify the cost, over 2017 and 2018 Equifax paid $668.2 million dollars as a result of the breach but received two insurance payments totaling $125 million dollars bringing the total paid down to $443.2 million [5]. Equifax has settled with the Federal Trade Commission to pay up to an additional $700 million for the breach. Out of that $700 million dollars, $175 million that will be paid out to states, $100 million that will be paid out to the Consumer Finance Protection Bureau and up to $425 million for consumer claims [6] . Famously, the media has been reporting that every consumer affected by the breach would receive $125, which is misleading. The consumer fund would have to be $18.375 billion for all 147 million people affected to get $125. In addition to this, people who can show that their data was used in the commission of fraud can make claims for damages of up to $20,000 which would be on top of the $18.375 billion-dollar figure. This is actually a great deal for Equifax, since Equifax gets to cap future liability at $700 million and consumers have to proactively request compensation, which means that there will likely be a relatively low number of requests. There is still the matter of how much more Equifax’s insurance will cover, leaving further uncertainty regarding how much Equifax will actually pay. Assuming an unlikely scenario worst-case scenario, were the entire $700 million is paid out, and Equifax’s insurance does not pay anymore, which they probably will, the per record cost of this breach is still at a mere $7.78 per record including the settlement and $443.2 million Equifax has already paid.

This settlement shows how the government often protects companies and more than consumers. Capping liability from consumers shows that quite well. If a consumer has suffered more than $20,000 in damages, under this settlement, those damages in excess of $20,000 are now the responsibility of the consumer unless the consumer takes their own legal action. Depending on who the consumer is, taking legal action against Equifax may be an untenable financial task. Using the legal system is an expensive and risky endeavor for anyone who does not already have a large bank account. This settlement effectively limits Equifax’s liability from people most hurt by their negligence.

Furthermore, the FTC settlement puts the onus on consumers to claim their funds. Equifax is a data broker, their business is to know data about consumers including things like address history; the settlement could have simply ordered Equifax to mail affected consumers a check. Perhaps that this course of action was not taken because the pitiful amount of money that each consumer would get from the tiny consumer claims portion of the settlement: a mere $2.89.

This week Capital One was breached due to a “misconfiguration” in their Amazon Web Services cloud environment. According to a release from PR Newswire, the public relations firm releasing Capital One’s announcements, the incident is expected to have the following impact:

We expect the incident to generate incremental costs of approximately $100 to $150 million in 2019. Expected costs are largely driven by customer notifications, credit monitoring, technology costs, and legal support…

The Company carries insurance to cover certain costs associated with a cyber risk event. This insurance is subject to a $10 million deductible and standard exclusions and carries a total coverage limit of $400 million... [7]

Capital One will barely notice this cost because insurance will probably pay for the majority of it. Their premium may go up a bit but after having a $100-$150 million-dollar cost covered an increased premium is hardly a punishment. For Capital One and other large companies, data security is simply a numbers game; it’s not about actually securing data. We do not know what the actual cost to Capital One will be, but with a $10 million-dollar deductible and a $400 million-dollar limit, it is fair to say that the cost will likely be less than $1 dollar per record.

As any Certified Information Systems Security Professional (CISSP) will tell you, the Annualized Loss resulting from an exploit is equal to the Exposure Factor multiplied by the Asset Value multiplied by the Annual Rate of Occurrence. This formula never takes into account the costs to people; however, this is how businesses prioritize security spending. Companies get away very cheaply with such egregious security practices even though it is the public that suffers. It’s hard to think this is by accident. There is plenty of evidence from mere observation, annual reports, CEO testimony and industry training manuals that companies are not looking out for consumers, unless it suits them, even though these companies are obviously profiting from consumer’s data.

Data has been referred to recently as “the new gold” or as Britney Kaiser, Former Director of Business Development at Cambridge Analytica and now whistleblower, stated in the documentary The Great Hack, “the wealthiest companies are technology companies. Google, Facebook, Amazon, Tesla and the reason that these companies are the most powerful companies in the world is last year [2017], data surpassed oil in its value. Data is the most valuable asset on earth”. [8] This is true yet as consumers we do not have control over our own data. Companies are allowed to leak our data without any real cost to them while exposing consumers to risk without compensation outside of cheap credit monitoring. Consumers are the modern natural resource and just like the earth does not benefit from being exploited neither do consumers.

The European Union has legislated the General Data Protection Regulation (GDPR) in an attempt to add real costs to data breaches. Under new GDPR guidelines British Airways was fined a record $230 million dollars for a data breach involving 500,000 customers or $460 dollars per record, far more than Equifax or Target [9]. The fine does not include costs such as legal fees, remediation and other expenses that can be associated with a data breach. In terms of revenue by 2018 numbers, British Airways recorded $24.4 Billion in revenue which makes the fine alone approximately .94% of revenue [10]. This could have been up to 4% of revenue base on GDPR guidelines.

Ideally companies would protect consumer data because most people would consider that “the right thing to do” but that is not the case. This a perfect place for government regulation to enforce the public good. In his summarized testimony during the Senate Hearing on Privacy, Richard Smith states that, “No single company can solve the larger problem on its own.” Smith is right, there needs to be systemic change to address the issues that the market clearly fails to.

In the information security industry, there is an ideology that responsible disclosures alone will force companies to have better practices. Although this has had some success, this strategy has definitely shown diminishing returns in recent years. A regulatory solution is the only action that can incentivize companies to act in the public interest.

Only time will tell if steeper penalties alone will compel companies to improve but we should take solace in the fact that legislation has worked in the past. Before regulations barred companies from disposing of industrial waste into rivers, dumping was common place. Infamously, the Cuyahoga River in Ohio caught fire as a result of companies abusing the commons. The Cuyahoga River catching fire was the spark that spawned the Environmental Protection Agency. So many catastrophic breaches have happened, it is hard to think that the metaphorical river is not burning. It is time for our government to finally defend the digital commons and demand that companies stop treating consumers with such low regard by penalizing those that fail to defend our data; this can change the equation.

References

  1. S3 Leaks from the DOD
  2. Krebs Talks About Capital One
  3. Target’s 2013 Annual Report
  4. PBS News Hour YouTube Channel Former Equifax CEO testifies before Senate Judiciary Subcommittee
  5. Equifax Annual Report 2018
  6. Reuters Equifax Settlement Breakdown
  7. PR Newswire Capital One
  8. Mark Cuban “Data is the new gold
  9. GDPR Fine
  10. British Airways Annual Report 2018