Settlements to Watch: Capital One Agrees to Class-Action Payments

On Thursday, December 23, 2021, Capital One Financial Corporation, headquartered in McLean, Virginia, officially agreed to pay out a $190 million to customers who experienced the theft of their private data during a cloud storage hacking incident in 2019. The settlement agreement is the result of a class-action lawsuit by customers filed against the financial institution.

This is the best place to find settlement money

Who Hacked Capital One's Cloud Storage?

Financial experts consider the Capital One breach an example of one of the largest thefts of private data from any type of financial institution in history. On April 21, 2019, Paige A. Thompson, a 33-year-old Washington state resident and former Seattle tech company engineer, committed an intrusion into third-party, cloud computing server systems contracted and rented by Capital One. Eventually, Amazon confirmed that Thompson worked for their Amazon Web Services division between 2015 and 2016. The company denied that she hacked the underlying cloud-based infrastructure.

According to the United States Department of Justice, Thompson posted information about the data that she stole on a hosting and information sharing website known as GitHub. She was able to access the data via a gap in a firewall because of the misconfiguration of a web application. Capital One received an email alert about her post from a GitHub user on July 17, 2019. By July 19, Capital One alerted the Federal Bureau of Investigation (FBI) after confirming the hack. Eventually, the FBI confirmed Thompson's involvement, which the government considered both abuse of data and fraud, by tracing her name to linked social media accounts on Meetup and Slack under the handle "erratic." They then seized all of the electronic storage devices in her home via a warrant and found copies of the data on her drives.

The FBI's primary method for finding Thompson involved mining erratic's past posts and comparing them to posts on a Twitter account under the same username. Thompson often overshared her own personal information online. As erratic, she spoke previously on Slack about how she needed to euthanize her cat and posted a June 10 estimated veterinarian bill that included her complete name and address. The FBI found tweets about the pet under the same username on Twitter. Thompson as erratic also spoke on Slack about how she planned to seek mental health services, but that she wanted to dump the Capital One data online before seeking institutional care.

Who Was Impacted by The Theft?

Thompson stole the private data of over 100 million Capital One applicants and customers. The data included names, dates of birth, addresses, telephone numbers, email addresses, incomes, balances, credit limits and credit scores. She also stole credit repayment histories, approximately 140,000 social security numbers and approximately 80,000 credit card bank account numbers.

Capital One and Amazon Web Services have repeatedly denied any liability, but Capital One previously paid a fine of $80 million after federal regulators found proof that the company didn't possess appropriate cybersecurity when it started to use Amazon's cloud storage servers. Capital One and Amazon Web Services have agreed to this class-action lawsuit settlement and specific amount in the U.S. District Court for the Eastern District of Virginia to prevent longer, costly litigation.

What Happens Now?

The federal court judge overseeing this case, Judge Anthony Trenga, must evaluate the agreement between Capital One and Amazon Web Services and the customers who filed the class-action lawsuit. Everyone involved has asked the court to pause current proceedings while the agreement is under review.

Capital One claims that it has reserved the $190 million for payouts if the court allows the settlement to move forward. Capital One released a statement in which it noted that none of the facts have changed since 2019 in regards to who stole the data or the method used to commit the theft. Capital One also claimed that the data was recovered before anyone could use it in a fraudulent manner.

As of December 28, 2021, no additional details have become available. If the court approves the settlement, Capital One must reach out to all former and current applicants and customers impacted by the theft so that every affected person can file for their share of the settlement funds. The settlement amount should cover an estimated 98 million people.

If you were impacted by this serious, historic data breach, you can find additional details and updates on the 2019 Capital One Cyber Incident page (https://www.capitalone.com/digital/facts2019/) and by calling Capital One at 844-388-8999.