Skip to Content

Capital One’s Data Breach Could Cost the Company up to $500 Million

Just a week after Equifax reached a settlement for its massive 2017 data breach, credit card titan Capital One revealed that it too had been compromised in a hack affecting over 106 million customers in March.

Now it could pay between $100 million to $500 million in U.S. fines for the breach, according to an early estimate by Morgan Stanley analyst Betsy Graseck in a Wednesday note to clients.

"While only a limited number of social security numbers were exposed, the sheer magnitude of customers that had their personal information hacked could expose Capital One to regulatory fines and or state settlements," she wrote. "One unknown? Impact of affected Canadian customers, given the higher percentage of exposed Social Insurance Numbers."

The hack affected about 100 million U.S. consumers, and 6 million Canadian clients, according to Capital One. About 140,000 Social Security numbers and 80,000 linked bank account numbers were obtained through the breach. But Canadians were more heavily impacted, with about one million Social Insurance numbers compromised.

Capital One says it expects the breach to cost $100 million to $150 million in 2019.

"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," said Richard Fairbank, CEO of Capital One in a statement. "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."

The FBI arrested the suspected hacker, 33-year-old Paige Thompson, Monday.

Graseck's analysis is rooted in fines paid following other high profile breaches, which have averaged payments of between $1 to $5 per social security figure. For instance credit scoring firm Equifax recently agreed to pay up to $700 million for a breach that impacted roughly 146.6 million consumers.

Graseck notes, however, that the Equifax breach currently looks "more problematic" than Capital One's. While a fraction of Capital One's customers had their Social Security numbers accessed, about 145.5 million were stolen in Equifax's case.

Much of the fines could also be covered by Capital One's cyber insurance policy, which covers up to $400 million following a $10 million deductible.

Certainly, cybersecurity—or the lack of—has become the bogeyman of the financial services industry. Among bank Chief Risk Officers and boards alike, cybersecurity is now considered the top risk, according to EY and the Institute of International Finance's 2018 Global Bank Risk Management survey.

With good reason: Not only can it impact a firm's bottom line, a successful hack can also lead to greater scrutiny from lawmakers.

"We would not be surprised to see regulators conduct a horizontal review of bank cyber risk preparedness, including firewall management," Graseck wrote. "We have seen regulators do horizontal reviews of banks in the past, such as after Wells Fargo’s fake account revelation."

For Capital One, the storm is just beginning.

More must-read stories from Fortune:

—Mortgages, credit cards, loans—what will happen if the Fed cuts interest rates?

—Stocks have been this expensive only twice in history: 1929 and 2000

—Here’s what analysts say about the top 8 pot stocks you can buy

Debit cards for kids? Here’s what you need to know about the newest offerings

—The expiration of this key mortgage rule could upend the housing market

Don't miss the daily Term Sheet, Fortune's newsletter on deals and dealmakers.