(Reuters) – Capital One Financial Corp’s (COF.N) assurances that a major data breach would have a limited impact on customers or profit failed to convince investors on Tuesday, with the bank’s shares closing down 5.9%.
Capital One said the prior day that 106 million people who had applied for credit cards in the United States and Canada had their personal data exposed.
The bank expects the incident to cost $100 million-$150 million this year, some of which may be covered by a sizeable insurance policy. It also confirmed prior guidance that operating efficiency would improve.
However, investors are wary, given the scale of the breach, the reputational impact on Capital One and likelihood of additional costs, analysts said.
“We are skeptical of management’s implication that an issue of this magnitude will not impact go-forward earnings & efficiency expectations,” Evercore ISI analyst John Pancari wrote to clients.
Analysts pointed to the legal expenses and possible regulatory penalties Capital One might face.
On Tuesday, two class-action lawsuits were filed in federal courts and the state attorneys general of New York and Connecticut each said their offices would begin probing the matter. A few lawmakers also issued statements criticizing Capital One or calling for a tougher privacy law.
The breach stemmed from Capital One’s decision to store data in Amazon.com Inc’s (AMZN.O) cloud unit, called Amazon Web Services (AWS), where a former employee named Paige Thompson managed to access its data. She was charged with computer fraud by federal prosecutors in Seattle and made her first court appearance on Monday.
Amazon said its cloud unit that stored the data was not compromised in any way. Instead, it attributed the breach to a “misconfiguration” outside of the cloud.
Capital One attributed the problem to an error in its own infrastructure. The bank has been an enthusiastic adopter of external cloud services, with senior executives appearing at AWS events or touting the benefits.
Amazon shares closed 0.7% lower on Tuesday.
Capital One did not have an immediate response to Reuters questions about its technological vulnerabilities on Tuesday. But analysts said its reliance on a third-party provider would come under new scrutiny.
The incident “raises questions on how best to police and protect client information,” said Morgan Stanley analyst Betsy Graseck.
“Today’s revelation reminds investors of the trust that financial institutions place in their client-facing employees and highlights risks of outsourcing any part of client-facing operations,” Graseck wrote in a report.
She expects the shares to remain under pressure as investors question whether the bank has other cloud-based vulnerabilities, and whether there will be additional regulatory scrutiny and expenses.
Reporting by David Henry in New York; Additional reporting by Supantha Mukherjee and Kanishka Singh in Bengaluru and Jonathan Stempel in New York; Writing by Lauren Tara LaCapra; Editing by Nick Zieminski and Matthew Lewis