Capital One Financial Corp., in recent years, has beat the drum every chance it got: The cloud is cheaper. The cloud is faster. And the cloud is far more secure.
Then a hacker got into the cloud, siphoning off sensitive information for more than 100 million of Capital One’s customers.
That revelation late Monday thrust the third-largest U.S. credit-card lender into the center of the latest massive data breach, and now threatens to upend a technology strategy personally championed by longtime Chief Executive Officer Richard Fairbank. He’s been one of the financial industry’s most vocal proponents for shifting sensitive customer information to outside cloud services -- a move that he’s promised would cut costs and offer a suite of other benefits.
“We are now considered one of the most cloud-forward companies in the world,” Fairbank told shareholders in April.
Just weeks before, according to U.S. prosecutors, a hacker began tapping into a vast trove of information from Amazon.com Inc. servers the bank was using. The breach is calling into question the lender’s strategy for reducing technology costs while taking advantage of the cloud’s rapid scalability and burgeoning array of applications.
“The magnitude of this breach is very large,” JPMorgan Chase & Co. analysts led by Richard Shane said in a note to clients. “While it is unclear whether this is directly related to Capital One’s transition to a cloud-based infrastructure,” there is likely to be “renewed concern going forward.”
Capital One’s shares dropped as much as 7.9% Tuesday morning, their biggest intraday decline in almost four years. The slump pared the stock’s advance for the year to 19%, just above the gain for the 68-company S&P 500 Financials Index.
Addresses, Income
Capital One said that about 100 million U.S. consumers were impacted by the breach. The stolen data, stored on servers rented from Amazon Web Services, was personal information found on card applications, such as names, addresses and dates of birth, and some financial information, including self-reported income and credit scores.
On Monday, authorities arrested and charged Paige A. Thompson, a 33-year-old former Amazon Web Services employee, with computer fraud and abuse. In a complaint filed in Seattle, prosecutors said that Thompson exploited an improperly configured firewall and accessed the data at various times between March 12 and July 17. The bank said it immediately fixed the problem once it was discovered.