Capital One Financial Corporation and Amazon Web Services Inc. have been hit with a proposed class action for purportedly failing to safeguard customer data after the bank’s servers were hacked. A similar class action suit against Capital One was filed in Virginia last week, and many others are pending
The suit stems from the recent breach of Capital One’s servers, which saw the personal information of 100 million people exposed. The complaint states that up to 140,000 Social Security numbers and 80,000 bank account numbers, as well as an unspecified number of customers’ credit card information, among other sensitive details, were exposed in the breach.
The complaint argues that the defendants failed to use industry-standard security measures, such as data encryption and tokenization, failed to test Capital One’s firewall security, and failed to configure its servers properly. If these basic steps were taken, the case says, the hack could have been prevented.
The alleged hacker, a former software engineer for Amazon Web Services, was reportedly able to access Capital One customers’ personal information through the bank’s servers, which were hosted by Amazon, because the firewalls protecting the servers were configured incorrectly, the lawsuit says. She reportedly had access to the servers for four months before being detected and posted customer information on the tech site GitHub. The defendants discovered the breach when an anonymous party tipped them off that customer information had been posted on the site, the suit states.
Capital One has stated that they don’t believe it’s likely that the compromised personal information was used fraudulently, but the suit contends otherwise. The lawsuit quotes noted cybersecurity expert Brian Krebs, who said, “it seems likely that at least some of that data could have been obtained by others who may have followed [the hacker’s] activities on different social media platforms.”
Though Capital One publicly acknowledged the breach, the bank waited 12 days before alerting customers whose information was potentially exposed, the case says.
If certified, the proposed class will be massive and cover everyone in the United States whose data was exposed during the breach, with a separate subclass for those affected in California.
Capital One is offering free credit monitoring to those affected by the breach.