“A financial institution that purposefully collects and retains highly sensitive personal information must protect” that information. So says one of the introductory lines in the complaint for this class action. The topic is the Capital One data breach, which the complaint lays at the feet of Capital one Financial Corporation and Amazon Web Services, Inc. (AWS).
The Nationwide Class for this action is all persons in the US whose personal and financial information was compromised in the data breach reported by Capital One on July 29, 2019. The complaint also proposes state subclasses for California, Arizona, Ohio, and Washington.
The introductory section of this complaint makes a number of statements about the responsibilities of companies that take and store confidential financial information. Among them are these:
It ends the list with the statement, “This lawsuit stems from Defendants’ failure to follow these simple rules.”
Capital One is one of the largest financial institutions in the US—in the top ten of banks for deposits and the third largest issuer of credit cards. Its cloud-based web systems are operated by Amazon Web Services.
On July 29, 2019, Capital One announced that its systems had been breached, exposing the information of some 106 million consumers. However, the breach had been ongoing for a long time by then, from approximately March 22 to at least April 21 that year.
The hacker is believed to be Paige Thompson, who was arrested by the FBI and charged with computer fraud and abuse. Thompson was a former employee of AWS. She was able to get to the information by exploiting a “configuration vulnerability” in the system. Thompson may have hacked thirty different companies and educational institutions.
The complaint says that “Thompson executed her hacking attacks on multiple companies that used AWS, through a vector that was known to AWS.”
The counts include negligence, negligence per se, and violation of state consumer protection laws, among other things.