It's among the worst fears of any bank CEO.
A lone hacker managed to steal the personal information of more than 100 million Capital One customers, the Virginia-based bank said Monday in a release. Most of what was taken related to customers' credit-card applications from 2005 to early 2019, including names, addresses, dates of birth and income, the lender said.
Bank CEOs including Jamie Dimon have been highlighting the risks of a cyberassault for years. Amid a steady stream of high-profile hacks, including a 2014 breach at J.P. Morgan, the industry is engaged in a cybersecurity arms race, spending ever-increasing amounts on personnel and technology projects to throw up barriers against a growing array of bad actors.
While banks have been in cost-cutting mode since the financial crisis, security budgets have exploded, in part because of the ubiquitous nature of the risks. In 2015, Bank of America CEO Brian Moynihan said cyberdefense was "the only place in the company that doesn't have a budget constraint."
At just the two biggest U.S. banks — J.P. Morgan Chase and Bank of America — security budgets have swollen to a combined $1.4 billion a year. Overall, the industry spends an average of $2,300 per employee annually on cyberdefense, according to a Deloitte survey released in May.
"The threat of cyber security may very well be the biggest threat to the U.S. financial system," Dimon said in an April letter to shareholders. "The financial system is interconnected, and adversaries are smart and relentless — so we must continue to be vigilant."
Dimon knows this from personal experience: In October 2014, his bank said that hackers exploited an employee password to pull off one of the largest reported cyberattacks on a major financial institution, exposing data on 76 million households.
As a general rule, the industry has been loath to give specifics about cyberdefenses out of fear that it will give bad actors a blueprint to launch fresh attacks. But it's been employing everything from low-tech reminders about passwords posted in offices to sophisticated data analytics and risk-management programs to stay ahead of criminals.
On a 2016 visit to a J.P. Morgan office for technology workers in Delaware, much of the lobby was taken up with 8-foot-tall billboards reminding staff to comply with the firm's code of conduct to protect customer data. "The risks to the firm are very real, as are the consequences of non-compliance," the bank warned employees.
Banks have also been pushing for greater cooperation between the private industry and government agencies, including the FBI. That has included the National Cyber-Forensics and Training Alliance, a non-profit focused on detecting and neutralizing cyber threats.
"The most important role government has is to mandate that sharing to occur," Cathy Bessant, chief operations and technology officer at Bank of America, said in an October interview. "There is no competitive advantage to secrets in this space, especially regarding risk, and sharing is the key to prevention and detection."
The Capital One hack highlights the risks banks face from software firms they rely on to keep pace with customers' expectations.
The breach is allegedly the work of Paige A. Thompson, a former employee of Amazon Web Services. She is accused of infiltrating the bank's firewall to get customer information being stored on the servers of Amazon, the biggest cloud provider. Banks have been shifting more of their computing and storage to the cloud to cut costs and increase the speed in which they can introduce the latest apps.
"AWS was not compromised in any way and functioned as designed," an Amazon Web Services spokesperson said in a statement to CNBC. "This type of vulnerability is not specific to the cloud."
"Capital One is one of the most 'cloud forward' financial companies in the world," said Tom Kellermann, chief cybersecurity officer at software firm Carbon Black. "They should be partnering with solution providers who are intimately aware of how to keep the cloud secure."