This is one of two class action lawsuits filed in the space of just a few days to protest the extensive data breach at Capital One Bank (USA), NA. (The other class action cites two other Capital One companies as defendants as well.) The complaint alleges that Capital One did not take reasonable and adequate measures to secure the data of its customers, particularly applicants for its credit cards.
The class for this action is all persons in the US who have applied for a Capital One consumer credit card since 2005. There is also a California Subclass consisting of all persons in California who have applied for a Capital One credit card since 2005.
According to the complaint, Capital One is “one of the most vocal advocates for using cloud services among banks. The lender has said it is migrating an increasing percentage of its applications and data to the cloud and plans to completely exit its data centers by the end of 2020—a move the company says will help lower costs.”
Since July 2019, it has been storing data through the use of Amazon Web Services (AWS) and its data storage software Simple Storage Service. However, AWS was not involved in the data breach.
It seems that Capital One built its own system on top of AWS’s systems, so that it could use its information in the ways it wanted. Unfortunately, the complaint says there was a “misconfiguration of a firewall” in Capital One’s system. This defect, the complaint claims, allowed a hacker or hackers to access the bank’s data between March 12 and July 17, 2019.
On July 19, 2019, the complaint says, Capital One “determined that there had been an unauthorized access to the personal data of individuals that had applied for a credit card between 2005 and early 2019. The stolen data includes Social Security numbers, credit scores, bank account numbers, and dates of birth, among other things.
The complaint alleges that the hackers shared the information with at least one other person and “posted sensitive information on Github…”
This is not Capital One’s first data breach. It also had breaches in 2014 and 2017.
The complaint alleges that Capital One failed to put into practices reasonable security measures that could prevent this kind of breach, which it claims is a violation of state law under the California Civil Code. In addition, it alleges violations of the state’s Unfair Competition Law as well as negligence.