August 08, 2019

Senator Warren Presses Capital One for Information about its Massive Data Breach and Accountability for Security Failures

"[O]ne of the largest-ever thefts of data from a bank" raises concerns about consumer privacy and data security at Capital One

Text of the Letter (PDF)

Washington, DC - United States Senator Elizabeth Warren (D-Mass.), member of the Senate Banking, Housing, and Urban Affairs Committee, sent a letter to Capital One Financial Corporation Chairman and Chief Executive Office Richard Fairbank regarding the massive data breach revealed last week that compromised sensitive personal information - including, in some cases, Social Security numbers and bank account numbers - of over 100 million Capital One customers. The breach is "one of the largest-ever thefts of data from a bank." Senator Warren expressed concerns with the risks to consumer privacy, the company's failure to prevent the breach, Capital One's plan to inform potentially affected customers, and the extent to which the bank will hold key executives and contractors accountable.

Beginning in March 2019, a hacker was able to breach Capital One's database and obtain personal data, mostly related to credit card applications.The alleged hacker, a former employee of Amazon Web Services, which hosted the database, has been arrested and charged with illegally obtaining the data. Capital One indicated in a statement that the alleged hacker is a "highly sophisticated individual" who previously worked at Amazon Web Services in September 2016. The alleged hacker's knowledge, however, may not be unique - tens of thousands of employees work or have worked at Amazon Web Services and thousands more work at Capital One - and "some researchers have noted that the techniques allegedly used and the security weaknesses allegedly exploited are commonly known."

Senator Warren expressed concern that Capital One did not detect the breach until nearly four months after the incident and that the bank never specified how and when it will notify affected customers.

"It is critical that individuals or businesses whose data was exposed due to Capital One's security failures receive adequate and timely notifications," wrote Senator Warren. "The public deserves to know exactly what the company plans to do to ensure that consumers' accounts and application information are protected from the consequences of Capital One's security failures."

To address these concerns and provide the public with clarity about this breach, Senator Warren asked that Capital One respond by August 19, 2019 and explain how the company database was breached, which security systems failed or were insufficient, what steps the company has taken to fix both the vulnerability and the systems that failed to detect the breach, and what efforts the company will make to rectify the impact of the breach and hold executives accountable.

In the aftermath of the massive Equifax breach in 2017, Senator Warren opened an investigation into the causes of the breach and the company's response, and since then, she has taken action to address data security problems, improve federal oversight of financial institutions, and  better protect consumers:

  • In June 2019, Senators Warren and Wyden, and Chairman Cummings released a Government Accountability Office (GAO) report identifying significant gaps in the federal government's treatment of citizens' personally identifiable information.
  • In May 2019, Senator Warren and Chairman Cummings reintroduced the bicameral Data Breach Prevention and Compensation Act with Senator Mark Warner (D-Va.) and Representative Raja Krishnamoorthi (D-Ill.) to hold large credit reporting agencies (CRAs) accountable for data breaches involving consumer data.
  • In April 2019, Senator Warren  introduced the Corporate Executive Accountability Act, legislation that would make executives of big corporations criminally liable if their companies commit crimes, harm large numbers of people through civil violations, or commit new violations while under the supervision of the court or a regulator for a previous violation.
  • Senator Warren and Chairman Cummings released two additional GAO reports, prepared at their request, detailing how hackers exploited significant vulnerabilities at Equifax to gain access to the sensitive personal information of more than 145 million Americans and recommending stronger consumer protection efforts to prevent another Equifax disaster. GAO recommendations were incorporated into the lawmakers' 2019 bill.
  • Senator Warren released the first comprehensive review of consumer complaints in the wake of the breach, revealing that the Consumer Financial Protection Bureau (CFPB) received more than 20,000 consumer complaints following the Equifax breach.
  • In March 2018, on the 10th anniversary of the collapse of Bear Stearns, which marked the beginning of the financial crisis, she introduced the Ending Too Big to Jail Act, a bill that would make it easier to bring criminal charges against bank executives whose organizations defraud consumers.
  • Senator Warren unveiled a 15-page report in February 2018 containing the findings of a four-month long investigation into how Equifax failed to protect the personal data of more than 145 million Americans.

###