Data Points: Privacy & Data Security Blog

The saga of the Capital One data breach, which impacted an estimated 106 million individuals in the U.S. and Canada, may soon be coming to an end. After more than two years of litigation, the parties have reached a settlement that would resolve existing and future consumer claims arising out of the 2019 breach which impacted Capital One customer information stored in the Amazon Web Services (AWS) cloud environment. If the settlement is approved, it will be one of the largest in any multidistrict data breach litigation.

On July 29, 2019, Capital One announced that certain information related to current and prospective customers had been stolen by a hacker from the AWS cloud instance where Capital One stored its data. The breach impacted approximately 98 million U.S. residents who had an account, or had previously applied for an account, with Capital One. The hacker stole approximately 140,000 social security numbers and 80,000 linked bank account numbers, as well as names, postal codes, birth dates, self-reported income, credit scores, credit limits, account balances and payment history. A former AWS software engineer, Paige A. Thompson, was indicted on federal charges of wire fraud and computer fraud and abuse in connection with the breach.

Under the terms of the settlement, Capital One would pay $190 million to compensate members of the settlement class for (among other things) out-of-pocket losses incurred in connection with the breach and for lost time spent dealing with issues related to the breach, as well as at least 3 years of identity theft prevention and resolution services. In addition, for at least two years, Capital One will implement and maintain significant changes to its business practices designed to improve its cybersecurity. In exchange, Capital One and AWS will be released from any further claims by the settlement class in connection with the breach. The proposed settlement is in addition to an $80 million penalty paid by Capital One in 2020 to settle claims by its regulators. The regulators alleged that Capital One engaged in unsafe or unsound practices in connection with moving its customer information to the AWS cloud. 

While Capital One remains a strong advocate for the use of cloud storage and computing in the financial services industry (even advertising its move to the public cloud on its website), a majority of other banks and financial institutions have been somewhat more cautious about moving critical business applications and customer data to cloud environments. Capital One’s experiences, including the 2019 breach and the resulting settlements with regulators and consumers, will no doubt inform other financial institutions in their decisions to use cloud computing and storage in the future.