Skip to content Skip to navigation

Capital One, Amazon Web “Configuration Vulnerability” Data Breach Class Action

Capital One Branch on City Street

“A financial institution that purposefully collects and retains highly sensitive personal information must protect” that information. So says one of the introductory lines in the complaint for this class action. The topic is the Capital One data breach, which the complaint lays at the feet of Capital one Financial Corporation and Amazon Web Services, Inc. (AWS).

The Nationwide Class for this action is all persons in the US whose personal and financial information was compromised in the data breach reported by Capital One on July 29, 2019. The complaint also proposes state subclasses for California, Arizona, Ohio, and Washington.

The introductory section of this complaint makes a number of statements about the responsibilities of companies that take and store confidential financial information. Among them are these: 

  • “When personal information is collected by a financial institution as a requirement to providing its services, the company and the cloud services company it utilizes must be at the forefront of data security…” 
  • “A financial services company and its web services provider must have systems and resources in place to detect when its systems have been breached, instead of having to rely on tips from anonymous ‘white hat’ hackers to know when customer information is up for grabs.” 
  • “And when a data breach involving up to 106 million records of innocent customers occurs, a financial institution and its web services provider must immediately and accurately notify all those affected to prevent consumers from becoming victims of identity theft.”

It ends the list with the statement, “This lawsuit stems from Defendants’ failure to follow these simple rules.”

Capital One is one of the largest financial institutions in the US—in the top ten of banks for deposits and the third largest issuer of credit cards. Its cloud-based web systems are operated by Amazon Web Services. 

On July 29, 2019, Capital One announced that its systems had been breached, exposing the information of some 106 million consumers. However, the breach had been ongoing for a long time by then, from approximately March 22 to at least April 21 that year. 

The hacker is believed to be Paige Thompson, who was arrested by the FBI and charged with computer fraud and abuse. Thompson was a former employee of AWS. She was able to get to the information by exploiting a “configuration vulnerability” in the system. Thompson may have hacked thirty different companies and educational institutions.

The complaint says that “Thompson executed her hacking attacks on multiple companies that used AWS, through a vector that was known to AWS.”

The counts include negligence, negligence per se, and violation of state consumer protection laws, among other things.

Article Type: 

Free Case Evaluation

Fill out the information for a FREE and prompt case evaluation.

About you

Additional Information

Latest Tweets

Join Us on Facebook