Are data breaches getting bigger, involving more and more people? The complaint for this class action claims that information for one hundred million people was exposed in the data breach involving Capital One Financial Corporation, Capital One, NA, and Capital One Bank (USA), NA. It claims that Capital One should be held responsible for not properly protecting the information.
“On July 29, 2019, Capital One announced that the personal information of over 100 million credit card applicants and customers had been accessed by a hacker—marking one of the largest data thefts from a financial institution in history.” So begins the description of the Nature of the Action section in the complaint. This information involves sensitive personally identifying information (PII), such as names, dates of birth, incomes, balances, payment histories, account numbers, and social security numbers.
The breach seems to have taken place in March 2019, when a hacker named Paige Thompson accessed information for applicants and customers that spanned a fourteen-year period, from 2005 to 2019. She then posted the information on her GitHub account, allowing access to other unauthorized users.
The complaint quotes Capital One as promising to “make your safety and security a top priority” and as being “committed to protecting your personal and financial information with controls based upon internationally recognized security standards, regulations, and industry-based best practices.” However, the complaint says, the company “negligently failed to implement, test and maintain reasonable cyber-security measures to safeguard” customer and applicant PII.
According to the complaint, Amazon Web Services hosted the servers Capital One used to store its information, the company constructed another application on top of Amazon’s to allow it to use data as it needed. The complaint says that “it was this application that was breached.”
The complaint claims that the FBI found that a “misconfiguration” of a firewall on an application allowed Thompson access to the PII.
The information Thompson posted remained exposed between April 21, 2019 and July 17, 2019, when an anonymous tipster notified Capital One.
According to the complaint, Capital One is fully aware of the threat posed by unauthorized access. In 2017, it reported that a former employee might have had access for four months to customers’ personal data; it reported another, similar breach in 2014.
The complaint alleges that Capital One failed to safeguard the information, failed to discover the breach for nearly four months, and then waited another ten days to notify the persons whose data had been exposed.
Four classes and subclasses have been proposed for this action.