fbpx

Capital One Data Breach in Amazon’s Cloud Class Action

The data breach experienced by Capital One, one of the largest banks and credit card issuers in the country, on July 29, 2019, affected more than 100 million people. The complaint for this class action alleges that this massive breach was caused by inadequate security measures and holds responsible both Capital One entities (Capital One Financial Corporation, Capital One Bank (USA), NA, and Capital One, NA) and Amazon entities (Amazon.com, Inc. and Amazon Web Services or AWS) who hosted the information on AWS.

The class for this action is all persons in the US whose PII was exposed in the data breach.

Shockingly, part of the claim this complaint makes is that the data breach was perpetrated by Paige A. Thompson, a former Amazon employee, who was able to obtain access to, view, and remove PII from the Capital One files.

The stolen information included addresses, dates of birth, self-reported income, 140,000 Social Security numbers, 80,000 bank account numbers, credit scores, and credit card account information, among other things. These belonged primarily to individuals and small businesses who had applied for credit card products between 2005 and 2019.

The data breach was initially not discovered by the companies, even though Thompson had posted about it on Twitter and other sites over several months, “and despite the fact that Capital One had records of the unauthorized intrusion.”

According to the complaint, Capital One had said publicly, “Safeguarding our customers’ information is essential to our mission as a financial institution.” The complaint alleges that Capital One “has almost limitless resources to protect the vulnerable data entrusted to it” and “was fully aware of the perils of a data breach and its legal responsibility to protect against a data breach…” It further claims that “all Defendants knew of the particular security vulnerabilities that permitted the Data Breach, but still failed to protect” the PII.

Capital One said it was able to “immediately address[] the configuration vulnerability” that permitted the breach, but the complaint says that was “too little too late” for those whose information was and “remains dangerously exposed and vulnerable to theft and fraud as currently maintained and used by Amazon and Capital One for their own profit.”

The complaint takes issue with Capital One’s decision to store its information with AWS on its cloud, which it calls “an aggressive move into uncharted territory for a major bank.” This took the data out of the physical custody of the bank and put it into the hands of a third party. It also points to “a widely known flaw” in the AWS cloud environment: the fact that it was vulnerable to Server Side Request Forgery attacks. The complaint describes this in detail.

The counts include negligence, negligence per se, and breach of contract, among other things.

Article Type: Lawsuit
Topic: Privacy

Most Recent Case Event

Capital One Data Breach in Amazon’s Cloud Complaint

March 18, 2021

The data breach experienced by Capital One, one of the largest banks and credit card issuers in the country, on July 29, 2019, affected more than 100 million people. The complaint for this class action alleges that this massive breach was caused by inadequate security measures and holds responsible both Capital One entities (Capital One Financial Corporation, Capital One Bank [USA], NA, and Capital One, NA) and Amazon entities (Amazon.com, Inc. and Amazon Web Services or AWS) who hosted the information on AWS.

Capital One Data Breach in Amazon’s Cloud Complaint

Case Event History

Capital One Data Breach in Amazon’s Cloud Complaint

March 18, 2021

The data breach experienced by Capital One, one of the largest banks and credit card issuers in the country, on July 29, 2019, affected more than 100 million people. The complaint for this class action alleges that this massive breach was caused by inadequate security measures and holds responsible both Capital One entities (Capital One Financial Corporation, Capital One Bank [USA], NA, and Capital One, NA) and Amazon entities (Amazon.com, Inc. and Amazon Web Services or AWS) who hosted the information on AWS.

Capital One Data Breach in Amazon’s Cloud Complaint
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy