When a massive data breach occurs, which parties bear responsibility? This class action looks at the recent Capital One data breach and names as defendants Capital One NA, Capital One Bank (USA), Capital One Financial Corporation, Amazon.com, Inc., Amazon Web Services, Inc., and GitHub, Inc.
The class for this action is all persons and entities in the US who gave personal or financial information to Capital One and whose personal information was accessed, compromised or stolen by unauthorized individuals in the data breach announced on July 29, 2019.
Capital One announced the data breach on July 29, 2019. It claims that a hacker called Paige Thompson gained access to roughly 100 million credit card applications, along with thousands of Social Security and bank account numbers.
The complaint claims, “This is one of the largest-ever data breaches of a financial services firm.”
Capital One, NA and Capital One Bank (USA) are subsidiaries or Capital One Financial Corporation. Together they make up what the complaint calls “one of the largest credit card issuers in the United State and one of the top 10 largest banks based on deposits, serving approximately 45 million customer accounts.”
Capital One rents cloud-based storage from Amazon Web Services (AWS). The complaint quotes the Capital One CIO as saying, in 2015, that “the financial services industry attracts some of the worst cybercriminals. So we worked closely with the Amazon team to develop a security model, which we believe enables us to operate more securely in the public cloud than we can even in our own data centers.”
Both AWS and Capital One profess to take good care of customer PII.
Thompson, the alleged hacker, was a former employee of Amazon’s web services unit. This raises questions as to whether she knowledge acquired while at that job to do hack.
The FBI states that she was able to gain access to the Capital One through a “configuration vulnerability.” Capital One says that this “unauthorized access also enabled the decrypting of data.” The complaint says that the data breach “was possible because of a known vulnerability in AWS that the Amazon defendants failed to correct…”
The data breach took place between March 22 and at least April 21, 2019. Unfortunately, the complaint says that the companies did not discover it until July 17 of that year.
In the meantime, Thompson disseminated the information. The complaint says, “A third party who notified Capital One of the Data Breach stated that some of the bank’s internal data, which had been stored on the AWS S3 platform, had been posted publicly on the code-sharing and easily accessible GitHub website.”
The counts include negligence, negligence per se, and violations of state data breach notice statutes, among other things.