Hours after announcing that the data of consumers and small businesses wasaccessed during a data breach, Capital One Financial Corporation finds itself as the defendant in a proposed class action lawsuit centered on its alleged failure to safeguard the financial and personal details of roughly 106 million credit card customers and applicants.
Filed in federal court in the District of Columbia, the complaint details that the information accessed by a now-indicted Seattle-based hackerincludes bank account numbers, snippets of transaction histories, self-reported incomes, credit scores and personal information, such as Social Security numbers, addresses, phone numbers, email addresses and birth dates. According to the lawsuit, the data breach occurred on March 22 and 23, 2019 yet was discovered by Capital One and co-defendants Capital One, N.A. and Capital One Bank (USA), N.A. on July 19. Capital One, the case stresses, waited until July 29 to disclose the breach, more than four months after proposed class members’ information was compromised.
The lawsuit states Capital One only discovered the cyber incident after an unrelated third party sent the company the below email, which included a link to a file containing the information stolen during the data breach:
The lawsuit argues Capital One had an obligation to protect its customers’ confidential information from unauthorized access, promising as much in its credit card applications that make explicit reference to 256-bit Secure Sockets Layer (SSL) Technology. From the complaint:
“Defendants’ security failures demonstrate that they failed to honor their duties and promises by not:
a. maintaining an adequate data security system to reduce the risk of data breaches and cyber-attacks;
b. adequately monitoring its system to identify the data breaches and cyber-attacks; and
c. adequately protecting Plaintiff’s and the Class’s Sensitive Information.”
Further, Capital One, according to the case, had “ample warnings” of the apparent weaknesses and risks to its data systems. Cited in the lawsuit is a January 2018 data breach during which 50GB of sensitive information was allegedly accessed. Moreover, the defendants have reportedly issued letters to an undisclosed number of customers informing them that their personal information may have been accessed.
The lawsuit looks to cover a proposed class of consumers across the United States whose sensitive information was maintained on the servers of Capital One and the cloud computing company used by Capital One and was compromised as a result of the data breach announced on July 29.