Consumers filed a class-action lawsuit against Capital One following a massive data breach. The lawsuit is one of many to result from the breach. Both Amazon and GitHub also currently face litigation as co-defendants in several suits stemming from the attack. In general, the suits allege the companies did not properly monitor for breaches, failed to fix known system vulnerabilities, and took too long to inform consumers about the attack.
The most recent suit, filed in Seattle, seeks damages based on the theory that Capital One promised to protect their data, which led to consumers trusting them with personal information. Therefore, Capital One’s failure constitutes an inability to meet consumers’ reasonable expectations about the security of their information.
“At all relevant times, Capital One — through its Notice of Privacy Practices and other written assurances — promised to safeguard and protect Plaintiffs’ and the Class members’ PII in accordance with, federal, state and local laws, and industry standards. Capital One breached this promise,” the court filing stated.
The size and sensitive nature of the data, as well as the high-profile nature of the attack, is now attracting the attention of consumers, litigators, and legislators. Ron Wyden, the ranking member of the Senate Finance Committee, recently sent a letter to Amazon CEO Jeff Bezos. In it, he asks about the default configuration settings for Amazon’s cloud computing products. It is widely believed Capital One used Amazon servers to store the consumer data stolen in the attack.
“When a major corporation looses data on a hundred million Americans because of a configuration error, attention naturally focuses on the company’s cybersecurity practices,” the letter said. However, if several organizations all make similar errors, it’s time to ask whether the underlying technology needs to be made safer, and whether the company that makes it shares responsibility for the breaches.”