Capital One (NYSE:COF) recently announced a data breach that affected 106 million customers, but it may not be as bad as it sounds. In this Industry Focus: Financials clip, host Jason Moser and Fool.com contributor Matt Frankel, CFP, compare it with some of the other high-profile breaches in recent years.
To catch full episodes of all The Motley Fool's free podcasts, check out our podcast center. A full transcript follows the video.
This video was recorded on Aug. 5, 2019.
Jason Moser: Let's take a look here at Capital One. There was some news that came out recently here in regard to a data breach. On July 29, Paige Thompson, a former employee at Amazon, was arrested and accused of carrying out a massive theft of 106 million Capital One records. Now, for all intents and purposes, when you look at Capital One, most people know it as that credit card commercial on TV, but Capital One is a bank. I guess the question we have here first and foremost is, what should investors be thinking about this type of a breach, Matt?
Matt Frankel: Well, Capital One's already put a number on it, first of all. They say it's going to wind up costing the bank between $100 [million and] $250 million. But going a little bit further, just to put this in perspective, you mentioned the 106 million customers that were affected. The vast majority of those were things like names, addresses, credit card balances -- information that you don't want anyone to have, but they can't do a whole lot with. When it comes to the sensitive information, 140,000 Social Security numbers, which out of 106 million really isn't very much; 80,000 bank account numbers. Which, don't get me wrong, that's 140,000 more Social Security numbers than we'd like them to lose. It affected about 1% of Capital One's customers overall in terms of sensitive information. To put that in perspective, a couple of the other high-profile data breaches over the years: in 2013, the infamous Target data breach. My mother had her identity stolen after the Target data breach. That was 41 million customers whose credit card account numbers were compromised. The next year, 2014, Home Depot, 56 million credit card accounts were compromised. That's a great example of how, over the long term, this really doesn't affect investors that much. If you look at a chart of Home Depot's stock over the past five years, you would never know that there was a massive data breach. They've done tremendously well.
Moser: Look at Equifax's stock chart. After all was said and done there, I mean, that was the shot heard around the world, basically. Equifax is still alive and kicking, which made me wonder -- this is just a blip on the radar, I would imagine.
Frankel: Right. Equifax was 143 million Social Security numbers. That was a big deal. Credit card numbers for a bunch of people. Like I said, the Capital One breach, it was mostly harmless -- I don't want to say harmless, but mostly non-sensitive information. It's really tough to steal someone's identity if you know their credit limit, for example. About 1% of their clientele was affected in a way that could meaningfully affect their identity. Capital One knows who those people are. They're alerting everybody whose Social Security number was stolen or bank account number, or, in Canada... what's it called? Their equivalent of Social Security number. I can't remember the name off the top of my head. But, a million of those were stolen. That was actually the biggest part of sensitive information. Those people are all being notified. About 1% of the total customer base.
From a long-term investor's perspective, I'm not terribly worried about it. Capital One is a pretty big company. Just looking, they're a $40 billion market cap. It's going to cost them about $100 million. That's a significant amount of money, but over the long term, that's a speeding ticket for Capital One. So, I'm not too concerned over the long term. I'd be more concerned about what happens to credit card business during a recession as an investor. Credit card default rates tend to tick up a lot quicker than anything else during a recession. Capital One, you mentioned, is much more of a credit card company than most other banks. Everyone knows their commercials with Samuel L. Jackson. "What's in your wallet?" They're much more tied to the credit card business. So, from a risk perspective, that's much more of a risk than this breach, in my opinion.
Moser: Yeah. This seems like it's probably third string junior varsity compared to some of the other stuff out there. As far as what's in consumers' wallets, I imagine they'll have access to a credit monitoring report for the next year to two years to help them deal with this. But I tend to agree with you, it just doesn't seem like it's that big of a deal. When you look at the actual business itself, Capital One is clearly a company that has been built on technology evolving with the times. From a bank's perspective, you look at the company, it generates return on assets at 1.6% and trending in the right direction. Strong financial position, you look at the deposits number there, deposits of $255 billion, that's up from $205 billion back in 2014. I feel like, yeah, this is one of those things that we'll forget about it in short order. If anything, I think it gives these cloud providers maybe a little bit of a wake up call. Whether you're Amazon or Microsoft or Google, you have to be thinking, "All right, what can we do to prevent this from happening again?" It looks just as bad for Amazon, in my opinion, as it does for Capital One here.
Frankel: Yeah. And don't get me wrong, socially, this is a bad thing. This is a bigger breach than should have happened. But from a dollars and cents perspective, for investors, we're saying it's not that big of a deal. We don't want anyone's credit card numbers to be compromised, or Social Security numbers. And yeah, this could be a wake up call to whoever is providing security services for Capital One.