Assessing The Cost, Legal Fallout Of Capital One Data Breach
By Jack Lu (August 15, 2019)
On July 29, 2019, Capital One Financial Corp. announced that, on July 19,
it discovered unauthorized access that compromised certain personal
information contained in credit card applications and related to its credit
card customers. About 106 million individuals, including 100 million
Americans and 6 million Canadians, have been affected. “No credit
card account numbers or login credentials were compromised and less
than one percent of Social Security numbers were compromised,”
according to information on the Capital One cyber incident. Precisely,
about 140,000 Social Security numbers of its credit card customers and
about 80,000 linked bank account numbers were compromised, in
addition to approximately 1 million Social Insurance Numbers of Canadian
As part of the investigation, Paige A. Thompson, an ex-employee from Amazon Web
Services has been arrested and accused of “intruding into the servers rented or contracted”
by Capital One. Specifically, “a firewall misconfiguration permitted commands to reach and
be executed by that server,” which enabled the intrusion. Capital One’s new releases
confirmed that Thompson “was able to exploit a specific configuration vulnerability in our
infrastructure.” Based on the court documents and news reports, the compromised
data was stored on AWS’s Simple Storage Service. However, Amazon quickly pointed out
that the unauthorized access was not “through a breach or vulnerability in AWS
Capital One reported that it had “immediately fixed the configuration vulnerability that this
individual exploited” and that “it is unlikely that the information was used for fraud or
disseminated by this individual." Still, in less than 24 hours after Capital One announced
the data breach, New York State Attorney General Letitia James’ office decided to begin an
investigation into the incident. Also, nearly a dozen law firms declared that they are
looking into the matter and plan to file class lawsuits against Capital One on behalf of its
customers and shareholders. Indeed, it was reported that a class action had already
been filed in the federal court in Washington D.C.
Capital One estimated that an incremental cost of $100 million to $150 million will be
incurred in 2019 due to the data breach, mainly to cover customer notifications, credit
monitoring, technology costs and legal support. According to Morgan Wright, a
cybersecurity expert, the cost will “exceed $200 to $300 million dollars by the time it’s all
said and done.”
This article sheds light on the potential cost that could be incurred by Capital One in the
wake of the data breach, as part of our efforts to help professionals and the general public
fathom the magnitude of the impact. As the investigation continues, further information will
be revealed. We hope this article will also offer a framework for those monitoring the
investigation to organize and better digest the additional information that will be revealed.
Top-Down Cost Estimate: Approach the Unknown Numbers With the Known Ones
It has been evident that an incident like the Capital One data breach will have a significant
social and private impact. The analysis in this section will focus mainly on the impact to
Capital One, gauged by the cost to be incurred as a result of the data breach. Our analysis
will estimate the incremental direct cost incurred for incident management and for post-
incident legal processes and regulatory procedures, as well as the total cost that includes
both direct and indirect costs.
The analysis in this section will take a top-down approach, so as to obtain an order of
magnitude of the financial impact on Capital One. To do this, we dig into the toolkit of a
typical economist and financial analyst and look into the stock market and comparable
transactions for answers.
Total Cost as Implied by Stock Market Reaction: An Event Study
Capital One announced the incident on July 29 after the market closed, and its stock price
declined by 5.89% on July 30. However, it had a pretty impressive recovery on July 31,
posting an 1.33% increase when the Standard & Poor's 500 Index was down by 1.09%. The
abnormal returns, i.e., daily stock price changes adjusted for the changes in the S&P 500
Index, were -5.57% and 2.56%, on July 30 and 31, both statistically significant at less than
5% level. The two-day capital adequacy ratio is calculated to be -3.15% with a statistically
significant level of about 5%, which conveys a decline in stock market value of $1.44 billion.
Since there were not statistically significant abnormal returns after July 31, it is assumed
that all information revealed so far has been digested and fully incorporated into stock
By contrast, after announcing its data breach event in 2017, Equifax Inc. witnessed a
seven-day turmoil in its stock trading, ending the period with a -34.9% CAR, which
translated to loss of market value of $5.9 billion. At this stage and based on the
information available, the stock market is pricing the Capital One breach fairly differently
However, it would be a daunting challenge for us to understand how exactly the stock
market was trading the total cost of the Capital One breach. One way to calculate the net
total cost is to go back to the price-to-earnings ratio. Before the breach
announcement, Credit Suisse Group AG reported a P/E ratio of 8.7 for Capital One. Applying
this ratio to the market cap loss of $1.44 billion, and adding back the tax shield, the net
total cost is computed to be $228 million. Since Capital One has an insurance coverage of
up to $400 million, the total cost is estimated have an upper bound of $628.4 million.
Direct Cost as Implied by Comparable Market Transactions
The direct cost, which is total cost netting indirect cost, is calculated based on comparable
transactions. Two of such methods are used: the econometric model method and the
method of comparable cost per breached record.
1. Econometric Models Derived From Comparable Market Transactions
Using the 106 million records affected in the Capital One breach and a projected 2019
revenue of $29,038 million, the Romanosky model yields a direct cost of $174 million.
For the Yamada et. al. model, which was developed based on the breach data from Japan,
we use only the constant term and the coefficients of revenue and number of victims.
Applying the model to Capital One in this fashion, the direct cost is calculated to be $963
million. Taking a mid-point, the direct cost of the Capital One breach is estimated to be
2. Comparable Transactions Method
We use two criteria to search for and collect comparable transactions. First, more than 50
million records were compromised as a result of data breach incidents; and second, the
companies reported the total direct costs incurred. Two of such comparable transactions
were reported in Paul Hershberger’s 2017 study: the Target Corp. 2013 breach and
the Home Depot Inc. 2014 breach. The most recent incident is the Equifax 2017 breach.
However, it seems that the stock market has so far priced the Equifax 2017 breach
differently from the Capital One incident. Nevertheless, the Equifax 2017 breach is included
in the table below as a sample.
The information presented in the table below is from Hershberger’s 2017 study, the annual
reports of Home Depot and Target and various news releases from Equifax and Capital One.
As shown in the table, applying the cost-per-breach records from the Target 2013 and
Home Depot 2014 breaches, the direct cost of Capital One breach is estimated to be $442
million and $564 million, respectively. However, in case the investigation in the Capital One
breach eventually makes it comparable to the Equifax 2017 breach, the direct cost could be
as high as $975 million.
There are several important takeaways from the cost estimates above. First, based on stock
market reaction so far, the impact of the Capital One breach has been determined to be
much more benign than that of Equifax in 2017, both relative to market cap and absolutely
in market value loss. Second, assuming markets are efficient, the total cost of $628 million
derived from event study would include $442 million to $564 million as a direct cost,
implying an indirect cost of $64 million to $186 million. This indicates that the Capital One
data breach likely may not cause any significant losses in lost revenue or permanent
increase in operating expenses. Our conclusion is consistent with the opinions released so
far by equity analysts covering Capital One.
That said, in case the stock market has not correctly priced the Capital One breach due to
the lack of information, there are two possible scenarios of the direct cost to be incurred by
Capital One. The company expects an incremental cost of $100 million to $150 million in
2019 for managing and controlling the breach. The IBM-Ponemon report shows that the cost
during the year of a breach typically accounts for 67% of the total cost over the three-year
period. Applying this percentage to the Capital One breach, the implied total direct cost
can be $150 million to $225 million. This number is close, though at the lower end of the
Morgan Wright’s estimate of $200 million to $300 million, which was based on the scenario
that there was no “gross negligence, like it was at Equifax.”
On the other hand, if the investigation into the Capital One breach eventually makes it
comparable to the Equifax 2017 breach, the direct cost can be as high as $975 million,
which, in turn, would lead to a higher indirect cost, making the total cost farther north
beyond the $1 billion mark.
From the 10,000-Foot View to a Ground Zero Survey
The wide range of estimates reached above may actually reflect the huge uncertainty
overhanging the investigation into the Capital One data breach, which eventually will
determine the ultimate cost to Capital One. This section highlights some key issues that
contribute to such uncertainty that could swing the cost dramatically between the possible
lower and upper bounds.
Less About "Of" vs. "In"; More About Vulnerability vs. Type I/Type II Error?
Since the announcement of the data breach, cybersecurity experts have provided many
very insightful analyses on the technical nature of the incident, which shed light on
whether there was negligence, and if so, where the negligence occurred, at AWS or Capital
One. To frame the discussions better, we take a step back and look into how AWS
infrastructure interfaces with its customers. The following diagram is taken from the shared
responsibility model published by AWS.
According to this model, AWS is responsible for security of the cloud, which is to protect the
infrastructure that runs all of the services offered in the AWS cloud. AWS customers are
responsible for security in the cloud. Depending on the AWS cloud services that a customer
selects, the model requires the customer to determine the amount of configuration work
desired. As described and reported by Brian Krebs,  Paige Thompson staged the
intrusion by exploiting a misconfiguration in ModSecurity, an open-source web application
firewall Capital One used to protect against certain common vulnerabilities. It seems that
the misconfiguration assigned too many permissions, which facilitated the “server side
request forgery” attack launched by Thompson. In other words, the attack was initiated
from the “in” side of the shared responsibility model.
However, another security expert, Evan Johnson, pointed out that, had AWS included “extra
identifying information in any request sent to the metadata service” on AWS platform, the
“of” side of the shared responsibility model, the attack might not have been able to reach
Amazon Simple Storage Service buckets and the data stored there.
Various reports cited security experts stating that such a misconfiguration vulnerability has
been known in the industry at least since 2014. However, according to Johnson, it
would take someone with “a lot of specialized knowledge” about several layers and function
modules on both "in" and "of" sides to launch a successful SSRF attack, and Thompson
happened to be one of such people. In short, a misconfiguration with WAF on the In side, a
fairly permissive metadata service on the "of" side, and a knowledgeable Thompson who
decided to act on it, brought a perfect storm that caught both Capital One and AWS by
In retrospect, it seems that Capital One could have configured WAF by the strictest rules
and then dealt with a large volume of false positive alerts, which is financially impossible. Or
Capital One could have addressed the issue through AWS identity and access management
by configuring the permission as least privilege and then faced numerous troubleshooting
requests, which would be a daunting task for large enterprises such as Capital One.
In short, there are many technical, legal and economic questions that hopefully the
investigation will eventually answer, which, in turn, will determine the nature of the Capital
One breach, as well as its financial impact.
Regulatory Enforcement and Private Actions: Muddle Through the Hurdles
So far, no federal regulatory entities have launched any investigations or started any
enforcement processes yet, except for a blog put out by Federal Trade Commission.
However, New York Attorney General Letitia James announced on July 30 that her office
planned to investigate the incident. At this stage, it is impracticable to foretell whether
and when any federal agencies or state AG offices will eventually investigate the incident.
However, if questionable practices are revealed or complaints lodged by consumers or
competitors in the next months, investigations may ensue. For example, the FTC may start
its investigation under Section 5 of the Federal Trade Commission Act, targeting “unfair or
deceptive acts or practices” possibly involved in the data breach. Also, the FTC and
the Consumer Financial Protection Bureau may jointly investigate whether a party has
violated the safeguards rule of the Gramm-Leach-Bliley Act of 1999, which requires financial
institutions to develop and implement information security programs to protect the
confidentiality and integrity of consumer personal information.
Since the compromised credit card application records also contain credit scores, credit
limits, payment history and other related information, if questionable practices are reported
or complaints filed, the FTC and CFPB could start enforcement processes under the Fair
Credit Reporting Act of 1970 and other applicable laws. Also, since Capital One is a publicly
traded company, the U.S. Securities and Exchange Commission can initiate its own
investigation, or join the investigations launched by other federal agencies. Finally, states
can start their investigations under federal laws and various state laws, and Canadian
authorities can launch their investigations under Canadian laws. To summarize, the
possibilities of these investigations, and the possible consequences that may result, will all
have significant financial impacts on Capital One.
While it is hard to predict at this stage whether federal agencies and state AGs will
eventually investigate the incident, it is certain that private actions will be filed against
Capital One, and a class lawsuit has already been filed. However, this does not necessarily
mean that such lawsuits will eventually have any significant financial impact on Capital One,
except for litigation costs. Most of the lawsuits will be filed as class actions, either against
the company on behalf of customers whose personal data are compromised or on behalf of
Capital One shareholders against the company’s executives and board directors.
These lawsuits will have many hurdles to overcome, and the plaintiffs should expect some
pretty steep uphill fights down the road. For class actions against Capital One on behalf of
customers whose personal data were compromised in the aftermath of the breach, the
battle for Article III standing will be critically important. In Clapper v. Amnesty
International USA, the U.S. Supreme Court required “that threatened injury must be
certainly impending,” and hypothetical future harm is not certainly impending. The
uncertainty will be high for the customers suing Capital One over the compromised personal
data, as security experts seem to agree with Capital One that the breached data has not
been used for fraud, nor otherwise abused.
In addition to the Article III standing issues, the plaintiffs will also face tremendous
challenge in addressing the common issues in class certification. Most importantly, the
Supreme Court now mandates a damages model applicable to the proposed class and
attributable to the damages theory as part of the class certification procedure, which
dramatically raised the bar for class certification. As economists have concluded,
“information lost may not be information abused. The cost of information lost should differ
depending on whether the lost information is used maliciously or not.” If there is no
evidence that the data has been abused, there will be no damage theory, needless to say an
applicable damages model.
Public Policy Implications
At the estimated direct cost of $500 million, with a possible range of $200 million to $975
million, all of which are on top of other indirect cost in lost revenue from damaged business
reputation and brand name, the stakes are very high for Capital One and other parties
involved. If investigations eventually prove negligence or violations of laws, Capital One
and/or AWS should be held accountable, and proper fines or penalties should be imposed,
as with Equifax, Facebook and others.
However, courts and regulatory agencies should proceed with extreme care and try to strike
a balance between protecting privacy on the one hand and optimizing capital allocation and
encouraging technology innovation and adoption on the other. AWS is an undoubted leader
in cloud computing technology, and Capital One is among the earliest adopters that took
advantage of such technology innovation. Cloud computing technology, like all technological
innovations, will have certain flaws or defects. It is important to keep in mind that
improving technology will rely not only on further research and development, but also on
the feedback from adopters and users. If Capital One and/or AWS were punished
improperly, it would send a signal to all technology innovators and adopters, causing delays
in releasing new products or adopting new technologies until all defects are fixed, which
most likely will never happen.
As real option pricing model teaches us, by imposing improper penalties on Capital One or
AWS, the courts or regulatory agencies would essentially sell a call option to Capital One
and AWS with a strike price at the penalties imposed. Such a call option to delay releasing
new product or adopting new technologies would be detrimental to consumers and the
society, as ultimately, it is new technologies that will enhance protection of our privacy.
To a great extent, a certain level of security risk has become a systematic risk that our
society will need to invest in in the long run to reduce, which also means that, in the short
run, there will be security risks we as a society would have to tolerate. In other words,
companies such as Capital One and AWS should be penalized for negligence or violations of
laws, which are deemed to be idiosyncratic risks generated by the companies but should not
be overpunished for the risks inherent in our networked world. By distinguishing the
systematic risks and idiosyncratic risks, courts and regulatory agencies should be able to
make appropriate decisions, so that precious capital will be allocated to developing and
improving technologies, instead of gaming our legal system.
Jack Lu, Ph.D., is the founding partner and chief economist at IPMAP LLC.
The opinions expressed are those of the author(s) and do not necessarily reflect the views
of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This
article is for general information purposes and is not intended to be and should not be taken
as legal advice.
 https://finance.yahoo.com/quote/COF?p=COF, accessed and counted on August 5,
 Our definitions are similar to the cost definitions in Paul Hershberger, “Data Breach
Impact Estimation”, 2017, at https://www.sans.org/reading-room/whitepapers/dlp/data-
room/whitepapers/dlp/data-breach-impact-estimation-37502. Our direct cost definition is
consistent with those in Sasha Romanosky, “Examining the costs and causes of cyber
incidents”, Journal of Cybersecurity, Volume 2, Issue 2, December 2016, Pages 121–135;
and “Mathematical Model to Estimate Loss by Cyber Incident in Japan”, Yamada, 2019,
at http://insticc.org/node/TechnicalProgram/icissp/presentationDetails/73685. Compared to
the cost definition in “Cost of a Data Breach Report,” published by IBM Security based on
the analysis from the prestigious Ponemon Institute, the direct cost in this analysis would
cover the first three cost categories of IBM report, including those for detection and
escalation, notification cost, and post data breach response; and the indirect cost would
include mainly the fourth category of lost business cost. Page 12, “Cost of a Data Breach
Report 2019”, IBM Security
 Event study is an econometric method commonly used by economists and financial
analysts to detect and quantify the impact of specific events. For example, event studies
can be employed to detect the effects on stock prices from corporate events or transactions
such as mergers and acquisitions, disclosure of fraud or breakthroughs in major R&D
efforts. Usually event studies would report abnormal returns (AR) or cumulative abnormal
returns (CAR) in stock prices during the defined event windows as the measures of the
impact. Abnormal return simply means the stock price change adjusted for the change in
overall market index, i.e., the return on top of the change in overall market index. This
paper offers one of the best summaries about event study and how to use it: “Event Studies
in Economics and Finance”, by A. CRAIG MACKINLAY The Wharton School, University of
Pennsylvania, Journal of Economic Literature Vol. XXXV (March 1997), pp. 13–39.
 Based on similar event study we conducted on Equifax stock prices for the 7-day
period after it announced the breach on September 7, 2017.
 As summarized by Romanosky, (“Examining the costs and causes of cyber incidents”,
Journal of Cybersecurity, Volume 2, Issue 2, December 2016, Pages 121–135, and
“Mathematical Model to Estimate Loss by Cyber Incident in Japan”) and Yamada et al, 2017,
(at http://insticc.org/node/TechnicalProgram/icissp/presentationDetails/73685) there have
been efforts in developing econometric models to associate direct cost or total cost with
different variables such as revenue and number of records compromised or number of
victims affected, among various other binary variables indicating the status or
characteristics of an incident. The models are only as good as the data underlying them,
and each of them have certain advantages and disadvantages. The Romanosky model and
Yamada et el model are certainly among the most recent efforts on this front and definitely
represent the finest. Still, it seems to us the Romanosky model and the Yamada et al model
were derived from different data sets, in the sense that the former has an underweight on
revenue and moderate weight on records compromised, while the latter, an overweight of
revenue and underweight of number of victims. Our analysis takes the mid-point of the
results derived from the two models to average out the underweight and overweight effects
inherent in the models.
 Credit Suisse Analyst Report, Capital One Financial Corp., July 30, 2019.
 Several financial analysts have expressed their opinions that essentially pointed to an
insignificant effect of the breach on long term stock price, though some analysts have
concerns over the short-term impact. For example, Credit Suisse Report on Capital One
Financial Corp, “Our Thoughts On The Recent Data Breach”, July 30, 2019. See
 For examples, see: https://krebsonsecurity.com/2019/08/what-we-can-learn-from-
concerns-for-AWS, and https://finance.yahoo.com/news/capital-one-hack-amazon-web-
 Also, an effort in detecting and blocking certain attacks may have unexpected impact
on the operations of the certain other functions. For example, according to KrebsOnSecurity,
Johnson acknowledged that fixing the metadata service issues on the AWS side may cause
backwards compatibility issues within AWS.
 This article focuses on class actions on behalf of customers whose personal data were
compromised. Class actions on behalf of shareholders will face the same class certification
huddles. Additionally, the Supreme Court’s ruling in Dura Pharms., Inc. v. Broudo has made
the damage calculation much more challenging for plaintiffs in securities litigation.
 As summarized in Spokeo v. Robins, there is a three-prong test for the plaintiff to
establish Article III standing: 1) an injury in fact; 2) fairly traceable to the challenged
conduct of the defendant, and 3) likely to be redressed by a favorable judicial decision. The
decision in Spokeo, Inc. v. Robins explicitly stipulated that “an injury in fact must be both
concrete and particularized” Spokeo, Inc. v. Robins, 578 U.S. ___ (2016)
 Clapper v. Amnesty International, 568 U.S. 398 (2013)
 Traditionally, “a party seeking to maintain a class action must be prepared to show
that Rule 23(a)’s numerosity, commonality, typicality, and adequacy-of-representation
requirements have been met and must satisfy through evidentiary proof at least one of Rule
23(b)’s provisions. Comcast Corp. v. Behrend, 569 U.S. 27, 33-34 (2013).
 “Information Lost: Will the "Paradise" That Information Promises, to Both Consumer
and Firm, Be "Lost" on Account of Data Breaches? The Epic is Playing Out”, Catherine L.
Mann, in “Economic Analysis of the Digital Economy,” University of Chicago Press, April
2015. Also, “The Economics of Privacy” by Alessandro Acquisti, Curtis Taylor and Liad
Wagman, Journal of Economic Literature, Vol. 52, No. 2, 2016.