“These things happen because of human nature,” said Chris Vickery, a security researcher who specializes in finding unguarded data caches. “These systems are very complex and very granular. People make mistakes.”
More than 11 billion records are known to have been exposed in data breaches since 2005, according to a tracker maintained by the Privacy Rights Clearinghouse. In recent years, huge caches of sensitive data have been taken from individuals’ Anthem health care files, Equifax credit bureau records, mortgage documents held by the title services company First American, Yahoo email accounts and even federal employment records.
Security was, for decades, treated in most industries as an annoying expense. Banks have always been an exception, with high budgets and fairly sophisticated security operations.
Mastercard, for example, has a windowless bunker at its data center in Missouri, where a group of security experts work. Citigroup runs three cyberattack response centers — in Budapest, New York and Singapore — that give it round-the-clock coverage. JPMorgan Chase spends nearly $600 million a year on security, and Bank of America’s chief executive has said the bank’s security team has a “blank check” for its spending.
But attackers keep slipping through.
Cybersecurity “may very well be the biggest threat to the U.S. financial system,” Jamie Dimon, JPMorgan’s chief executive, said in an April letter to shareholders. His company was the victim of a major data breach in 2014 after hackers exploited an employee password to steal data on 76 million households.
The average cost of a security breach in the United States has escalated in recent years to $8.2 million, according to a study by IBM Security and the Ponemon Institute.
The cost for companies of Capital One’s size can climb much higher, particularly when class-action lawsuits and fines from regulators come into play. The credit bureau Equifax said last week that it would pay about $650 million — perhaps much more — to resolve most claims stemming from a 2017 breach that affected 147 million people.