Capital One 2019: $300M+, the cloud-misconfiguration precedent.

Capital One ran its credit-application processing infrastructure on AWS. A misconfigured Web Application Firewall (WAF), specifically an AWS WAF rule that did not properly restrict server-side request forgery (SSRF) attacks against the EC2 instance metadata service, allowed the attacker to send crafted requests through the WAF to the instance-metadata endpoint. The metadata service returned the IAM role credentials assigned to the EC2 instance that hosted the WAF, which had broader-than-necessary read access to S3 buckets containing the credit-application data.

With the stolen IAM credentials, the attacker enumerated and downloaded the contents of S3 buckets containing approximately 106 million credit-application records, comprising US applicants (about 100 million) and Canadian applicants (about 6 million). The exposed data included names, addresses, dates of birth, credit scores, balances, transaction data, and (for approximately 140,000 applicants) SSNs, plus approximately 80,000 linked bank account numbers.

The attacker, Paige Thompson (online alias "erratic"), was a former AWS engineer who used technical knowledge of AWS architecture to identify the misconfiguration. Thompson's identity was revealed when she boasted about the breach on a public GitHub repository and a Slack channel. Capital One was alerted to the disclosure by a third party who saw Thompson's GitHub post, prompting the internal investigation that confirmed the breach. Thompson was convicted in June 2022 of wire fraud and seven counts of unauthorized access to a protected computer, and sentenced in October 2022 to time served plus five years of probation.

Capital One disclosed initial estimated cost of $100M-$150M in Q3 2019, expecting most to be recovered through insurance. The cost has roughly tripled the initial estimate as class-action and regulator-settlement amounts exceeded forecast and insurance recovery was less complete than expected.

The OCC consent order issued 5 August 2020 imposed an $80M civil money penalty for unsafe or unsound practices and violations of OCC rules related to information security. The OCC found Capital One in violation across multiple dimensions: failure to assess and act on the risks of operating in a public cloud environment, failure to establish appropriate risk-management standards, failure to take prompt corrective action when management was made aware of weaknesses, and failure of internal audit to identify weaknesses.

The consent order also imposed substantial structural requirements: enhanced cloud governance with board oversight, comprehensive risk-assessment programmes for all cloud workloads, augmented internal audit coverage, and ongoing OCC supervisory reporting. The structural requirements are arguably more consequential than the $80M monetary penalty because they have established the supervisory expectation for any national bank operating in public cloud, including expectations that flow downstream to fintech partners.

The OCC's parallel finding was particularly noteworthy: the OCC determined that Capital One had identified the WAF misconfiguration in an internal risk assessment prior to the breach but had not remediated it in a timely manner. The finding established a precedent that bank cybersecurity risk-assessment outputs must produce timely action, not just documentation, and that the failure to act on a self-identified risk is itself a violation of safety-and-soundness standards.

The consolidated class-action in the Eastern District of Virginia, In re Capital One Consumer Data Security Breach Litigation, settled for $190M in December 2021 and received final approval in September 2022. The settlement structure provided $25 per class member for documented credit-monitoring enrolment, up to $25,000 per class member in documented out-of-pocket costs, and three years of credit monitoring through Pango Group. The per-class-member effective value of approximately $1.79 (across the 106 million class members) was in the same range as the Anthem settlement and has been cited extensively as a healthcare/financial-services breach class-action benchmark.

The settlement was notable for the unusually high $25,000 per-claimant cap on documented out-of-pocket costs (compared to $10,000 in Anthem and Equifax). The higher cap reflected the inclusion of SSNs and bank account data in the Capital One breach (versus mostly identity data in Anthem), which made downstream identity-theft losses more plausible. In practice, claim volume for high-value out-of-pocket reimbursement was low, with most settlement value flowing through the credit-monitoring component.

Capital One was AWS's most-publicised enterprise customer at the time of the breach. The company had publicly committed to running its entire technology stack on AWS by 2020 and was widely cited as a case study in financial-services cloud transformation. The breach raised obvious questions about the appropriate allocation of responsibility between the cloud provider and the customer.

AWS's position, articulated in subsequent statements and accepted by the OCC, was that the WAF misconfiguration was Capital One's configuration choice within the shared-responsibility model. AWS provided the WAF service with appropriate documentation about SSRF-protection configuration. Capital One configured the WAF in a way that did not invoke that protection. The breach was therefore Capital One's liability under the standard cloud shared-responsibility framework, despite the fact that the technical exploit traversed AWS infrastructure components.

The case has been used extensively by cloud providers and large enterprise customers to clarify the shared-responsibility allocation. The post-Capital One enterprise norm became more aggressive use of cloud-provider managed security services (where the provider takes more responsibility for correct configuration), more aggressive use of third-party Cloud Security Posture Management tooling to detect misconfigurations independent of the cloud provider's own assurance, and explicit board-level reporting on cloud-misconfiguration risk separate from generic cyber risk.