IT Security & AI Ethics: Capital One and Facial Recognition

Information Systems Management

Case Study Analysis: IT Security & Artificial Intelligence

Case Study 1: Capital One Data Breach

Case Study 2: Facial Recognition Systems

University of Wolverhampton | Group Assessment | January 2026

KNOWLEDGE • INNOVATION • ENTERPRISE

Table of Contents

Part 1: IT Security

Introduction to Information Systems Security

Capital One Data Breach – Overview

How the Breach Happened (Technical Analysis)

Impact on Customers & the Bank

Security Failures & Lessons Learned

Recommendations for IT Security

Part 2: AI & Managing Knowledge

Introduction to Facial Recognition Technology

How Facial Recognition Works

Benefits of Facial Recognition

Risks, Drawbacks & Bias

Ethical Concerns & Regulations

Recommendations & Future Outlook

Conclusion & Key Takeaways

University of Wolverhampton | Group Assessment | January 2026

PART 1

Securing Information Systems

Case Study: The Capital One Data Breach

Exploring how a major cloud misconfiguration led to one of the largest financial data breaches in history, exposing over 100 million customer records.

IT Security • Data Protection • Cloud Security

KNOWLEDGE • INNOVATION • ENTERPRISE

Introduction to Information Systems Security

Information Systems Security (ISS) refers to the processes and methodologies involved in keeping information confidential, available, and assuring its integrity.

CONFIDENTIALITY

Protecting data from unauthorised access

INTEGRITY

Ensuring data accuracy and trustworthiness

AVAILABILITY

Guaranteeing data is accessible when needed

Why It Matters

Organisations handle vast amounts of sensitive customer data

Breaches can result in financial loss, legal penalties & reputational damage

Cybercrime costs the global economy over $8 trillion annually (2023)

Capital One Data Breach – Overview

106 Million

Customers Affected (US & Canada)

March 2019

Breach Occurred

July 29, 2019

Publicly Disclosed

$190 Million

Class Action Settlement

In 2019, Capital One Financial Corporation suffered one of the largest data breaches in banking history. Former AWS software engineer Paige Thompson exploited a misconfigured Web Application Firewall (WAF) to gain unauthorised access to Capital One's AWS cloud storage, stealing sensitive personal and financial data from over 106 million individuals.

Names, addresses, dates of birth

Credit scores, balances, payment history

~140,000 US Social Security Numbers

~80,000 linked bank account numbers

~1 million Canadian Social Insurance Numbers

How the Breach Happened – Technical Analysis

Misconfigured WAF

Capital One's Web Application Firewall on AWS was incorrectly configured, creating a vulnerability.

SSRF Exploit

Attacker used a Server-Side Request Forgery (SSRF) attack to trick the server into revealing internal AWS credentials.

AWS Credentials Stolen

The IAM (Identity & Access Management) role credentials were obtained, granting cloud access.

S3 Buckets Accessed

Attacker listed and downloaded data from Amazon S3 storage buckets containing customer data.

Data Exfiltrated

106 million records downloaded over several months (March–July 2019).

ROOT CAUSE

Over-privileged IAM roles combined with a misconfigured firewall created an open pathway to sensitive cloud data storage.

Impact on Customers & the Bank

Impact on Customers

Identity theft risk for millions of individuals

Exposure of Social Security Numbers and bank account details

Financial stress and anxiety for affected customers

Loss of trust in Capital One's ability to protect data

Class action lawsuit resulting in $190M settlement paid to victims

Impact on Capital One

$80 million fine by the Office of the Comptroller of the Currency (OCC)

$190 million class-action settlement

Significant reputational damage and loss of customer confidence

Increased regulatory scrutiny and compliance requirements

Mandatory overhaul of cloud security infrastructure and practices

Lesson

A single misconfiguration can cascade into catastrophic financial and reputational damage. Security cannot be an afterthought.

Security Failures & Lessons Learned

What Went Wrong

Misconfigured Firewall

The WAF was not properly set up, leaving an exploitable gap in the perimeter defence.

Over-Privileged IAM Roles

Cloud roles had excessive permissions, allowing broad access once compromised.

Delayed Detection

The breach went undetected for nearly 4 months (March–July 2019).

Insufficient Monitoring

Lack of real-time alerts and anomaly detection for unusual data access patterns.

Lessons Learned

Apply the Principle of Least Privilege to all cloud IAM roles

Conduct regular security audits and penetration testing of cloud configurations

Implement real-time monitoring, anomaly detection, and automated alerts

Recommendations for IT Security

Preventing Future Data Breaches in Cloud Environments

Zero Trust Architecture

Never trust, always verify. Authenticate every user and device continuously, regardless of network location.

Cloud Security Posture Management

Use automated tools to continuously scan and fix cloud misconfigurations before they are exploited.

Least Privilege Access

Grant only the minimum permissions required for each role. Regularly review and revoke unnecessary access.

Real-Time Monitoring & SIEM

Deploy Security Information and Event Management (SIEM) tools to detect anomalies and trigger instant alerts.

Regular Penetration Testing

Conduct scheduled and unannounced ethical hacking tests to identify vulnerabilities proactively.

Security Awareness Training

Educate all employees on cybersecurity best practices, phishing risks, and data handling procedures.

PART 2

Managing Knowledge & Artificial Intelligence

Case Study: Facial Recognition Systems

Examining the technology, applications, benefits, risks, and ethical implications of facial recognition systems in modern society.

AI • Machine Learning • Ethics • Privacy

Introduction to Facial Recognition Technology

Facial Recognition Technology (FRT) is an AI-powered biometric system that uses algorithms to identify or verify individuals by analysing the unique geometric features of a human face.

Global Market

$14.5B

Market is projected to reach $14.5 billion by 2029

Adoption Rate

100+

Countries worldwide using FRT in law enforcement

Accuracy

>99%

Accuracy achieved by modern algorithms under optimal conditions

Law Enforcement

Border Control

Banking & Finance

Smartphone Unlock

Retail & Marketing

Healthcare

How Facial Recognition Works

Face Detection

The system scans an image or video stream and detects the presence of a human face using object detection algorithms.

Feature Extraction

Key facial landmarks are identified: distance between eyes, nose shape, jawline, cheekbones — ~80 nodal points mapped.

Faceprint Creation

The extracted features are converted into a unique numerical "faceprint" (facial signature) — similar to a fingerprint.

Database Matching

The faceprint is compared against a database of known faces using machine learning similarity algorithms (e.g., deep neural networks).

Identification / Verification

The system either identifies who the person is (1:many search) or verifies their claimed identity (1:1 match) with a confidence score.

1:1 Verification

Confirms identity (e.g., phone unlock)

1:N Identification

Finds a match in a crowd (e.g., CCTV surveillance)

Benefits of Facial Recognition Technology

Enhanced Security

Quickly identifies criminals and suspects in public spaces, airports, and at borders, improving law enforcement efficiency.

Frictionless Authentication

Enables fast, password-free access to devices, bank accounts, and secure facilities without physical tokens.

Healthcare Applications

Helps identify patients, track medical histories, detect pain levels, and assist those with speech or mobility difficulties.

Missing Persons & Crime

Has helped locate missing children and identify criminals, with documented successes in law enforcement globally.

Financial Fraud Prevention

Banks use FRT to verify customer identity, reducing account takeover fraud and enabling secure transactions.

Accessibility

Enables hands-free device interaction for people with physical disabilities, improving quality of life.

Risks, Drawbacks & Bias

Technical Risks

Social & Privacy Risks

Lower accuracy for darker skin tones, women, and elderly — algorithmic bias from non-diverse training data

False positives can lead to wrongful identification and unjust arrests

Lighting, aging, facial hair, and accessories reduce accuracy

Deepfake technology can potentially spoof facial recognition systems

Mass surveillance without consent — enables tracking individuals in public spaces

Biometric data, once stolen, cannot be changed unlike passwords

Used by authoritarian regimes to suppress dissent and monitor citizens

Risk of "function creep" — technology used beyond its original stated purpose

Data breaches of facial databases could expose millions permanently

Rite Aid deployed facial recognition in stores that disproportionately flagged people of colour as shoplifters — the system was banned by the FTC in 2023.

Ethical Concerns & Regulations

Consent & Transparency

Individuals rarely know when their face is being scanned or how that data is stored and used.

Algorithmic Bias

Systems trained on non-diverse data produce discriminatory outcomes against minorities and women.

Mass Surveillance

Governments and corporations can track individuals' movements without their knowledge or approval.

Data Rights

Citizens have no means to opt out of biometric profiling or reclaim their facial data once captured.

Regulatory Landscape

🇪🇺

GDPR (EU)

Classifies biometric data as "special category" data — requires explicit consent for processing

🇪🇺

EU AI Act (2024)

Bans real-time remote biometric identification in public spaces with limited exceptions

🇺🇸

US — Fragmented

Some cities (San Francisco, Boston) have banned government use; no federal law yet

Key Ethical Principle

Technology must serve people — not the other way around. The deployment of facial recognition must be governed by transparency, accountability, and respect for human rights.

Recommendations & Future Outlook

Our Recommendations

Diverse & Inclusive Training Data

Ensure AI models are trained on representative datasets across races, genders, and age groups to eliminate bias.

Opt-In Consent Frameworks

Citizens should provide explicit, informed consent before their biometric data is collected or processed.

Independent Algorithmic Audits

Third-party audits should regularly test FRT systems for accuracy, fairness, and discrimination.

Strong Data Governance

Biometric data should be encrypted, anonymised where possible, and subject to strict retention limits.

Clear Legal Frameworks

Governments should establish comprehensive laws regulating when, where, and how FRT can be deployed.

Future Outlook

Continued growth in commercial and law enforcement adoption globally

Integration with other AI systems (gait recognition, emotion detection)

Increasing regulatory pressure — EU AI Act sets a global precedent

Research focus on bias reduction and explainable AI (XAI)

Conclusion & Key Takeaways

Capital One Data Breach

Cloud security requires constant vigilance — misconfigurations can have catastrophic consequences

The Principle of Least Privilege and real-time monitoring are non-negotiable in modern cloud environments

Organisations must invest in proactive security culture, not just reactive incident response

Facial Recognition Systems

FRT offers genuine benefits in security and convenience, but must be deployed responsibly

Algorithmic bias remains a serious challenge that demands diverse data and rigorous testing

Legal and ethical frameworks must evolve at the same pace as the technology

Both case studies demonstrate that technological innovation brings both opportunity and responsibility. Effective Information Systems Management requires balancing capability with security, ethics, and accountability.

References

Amazon Web Services (2023) AWS Security Best Practices. Available at: aws.amazon.com

BBC News (2019) 'Capital One data breach affects 100 million customers', BBC News, 30 July.

Forrest, C. (2020) 'Capital One data breach: A timeline', TechRepublic.

Garvie, C. et al. (2016) The Perpetual Line-Up. Georgetown Law Center.

Hill, K. (2020) 'Wrongfully Accused by an Algorithm', New York Times.

IBM Security (2023) Cost of a Data Breach Report 2023. IBM Corporation.

NIST (2019) Face Recognition Vendor Test (FRVT). National Institute of Standards and Technology.

Office of the Comptroller of the Currency (2020) OCC Enforcement Action — Capital One.

UK ICO (2023) Guidance on Biometric Data and Facial Recognition. Information Commissioner's Office.

European Parliament (2024) EU AI Act — Regulation on Artificial Intelligence. Official Journal of the EU.

Thank You

University of Wolverhampton | Information Systems Management | Group Assessment 2026

KNOWLEDGE • INNOVATION • ENTERPRISE