Another proposed class action lawsuit has been added to the slew of ongoing litigation against Capital One over a recent data breach that reportedly affected over 100 million credit card applicants. Filed in Virginia federal court, the lawsuit claims Capital One Financial Corporation, Capital One, N.A., and Capital One Bank (USA), N.A. failed to properly safeguard customers’ private information in the lead up to “one of the largest data thefts from a financial institution in history.”
According to the lawsuit, Capital One built a custom web application hosted by Amazon Web Services that, due to a “misconfiguration,” was accessed by a programmer in March 2019. As a result, the case says, proposed class members’ names, addresses, contact information, dates of birth, self-reported income, credit information, Social Security numbers, and bank account numbers were collected by the hacker and posted on her GitHub account, “allowing other unauthorized users to access and exploit” their private information.
The lawsuit argues that the defendants’ alleged failure to maintain proper cybersecurity measures allowed for 140,000 Social Security numbers and 80,000 bank account numbers to be compromised. Further, Capital One, the suit says, failed to detect and disclose the breach for four months, and waited until July 29, 2019 to announce the security incident. From the complaint:
“In addition to Defendants’ failure to adequately implement, test and maintain reasonable cyber-security measures to protect against the wrongful disclosure or compromise of the PII, Defendants failed to timely detect and notify Plaintiff and Class members of the Data Breach in violation of their duties and applicable state data protection laws.”
The lawsuit seeks to certify both a nationwide class of individuals whose private information was compromised in the breach and a class of Missouri residents. The suit additionally looks to certify two subclasses—nationwide and, alternatively, those in Missouri—of people whose information was compromised in the breach after they entered into a credit card agreement with Capital One.