Your guide to a better future
Affected customers could collect up to $25,000, according to a preliminary settlement.
Dan is a writer on CNET’s How-To team. His byline has appeared in Newsweek, NBC News, The New York Times, Architectural Digest, The Daily Mail and elsewhere. He is a crossword junkie and is interested in the intersection of tech and marginalized communities.
Capital One’s infamous 2019 data breach exposed the personal information of more than 100 million people and resulted in a class-action lawsuit that’s been tentatively settled to the tune of $190 million.
Plaintiffs in the case claim a hacker never would have been able to break into Capital One’s cloud computing systems, which were hosted on Amazon Web Services, if the company had taken adequate cybersecurity measures. In their complaint, they allege Capital One “knew of the particular security vulnerabilities that permitted the data breach, but still failed” to protect customers, putting millions at risk for fraud and identity theft.
Neither Capitol One nor Amazon responded to a request for comment.
Capital One hasn’t admitted to any wrongdoing but, according to court filings, agreed to the $190 million payout in December 2021, “in the interest of avoiding the time, expense and uncertainty of continued litigation.” The US District Court for the Eastern District of Virginia granted preliminary approval for the deal On Jan. 31, 2022.
At that time, prospective class members had until Aug. 22 to file a claim. The deadline has now been extended into September.
Here’s what you need to know about the Capital One data breach settlement, including how to find out if you’re eligible for a payout, how much money you could receive and the deadline for filing a claim.
For more on class-action cases, find out if you qualify for money from T-Mobile’s $350 million data breach case, Apple’s $14.8 Million iCloud storage settlement or Facebook’s $90 million data-tracking payout.
In one of the largest financial security breaches in US history, a hacker accessed the personal information of approximately 106 million Capital One customers and applicants in March 2019.
The massive hack went undiscovered for approximately four months before Capital One made it public in July 2019.
Seattle engineer Paige Thompson, a former Amazon cloud employee, was ultimately arrested in connection with the case. In June, she was convicted of wire fraud and unauthorized access and damages to a protected computer.
Capital One said Thompson illegally gained access to personal information related to credit card applications dating between 2005 and early 2019 for both personal and small-business accounts.
“With some of her illegal access, she planted cryptocurrency mining software on new servers with the income from the mining going to her online wallet,” the Department of Justice said in a release, adding that Thompson used an alias to brag on social media and online forums about masterminding the attack.
Thompson is scheduled for sentencing on Sept. 15.
In addition to the $180 million class action lawsuit, Capital One was fined $80 million and agreed to enhance its cloud security standards.
Capital One said it immediately fixed its servers’ vulnerability to forged requests when it became aware of the breach.
Capital One said about 140,000 Social Security numbers and 80,000 US bank account numbers were exposed, as were birth dates, addresses, phone numbers, credit balances, transactions and credit scores.
An additional 1 million Canadian credit card customers and applicants had their Social Insurance Numbers stolen.
No credit card account numbers or login information was obtained by Thomas, the bank said.
Some 98 million applicants and cardholders are eligible to file a valid claim, according to Capital One. The company said it sent letters and emails to members whose Social Security numbers or bank account numbers were exposed in the hack.
Read more: Data Breaches Up Nearly 15% from 2021
Class members can collect up to $25,000 in cash for lost time and out-of-pocket expenditures relating to the breach, including unreimbursed fraud charges, money spent preventing identity theft and fees to professional data security services.
You can claim up to 15 hours of lost time spent addressing the issue, at a rate of at least $25 per hour.
The settlement also provides three years of free identity protection services through the Pango Group, including identity monitoring, lost wallet protection, security freeze capabilities, dark-web monitoring, free account restoration, and $1 million in identity theft and fraud insurance.
About 140,000 Social Security numbers and 80,000 Capital One account numbers were exposed, along with birth dates, addresses, phone numbers, credit balances, bank transactions and credit scores.
You can file online at the class action settlement website. You’ll need the Unique ID and PIN printed on the notice you received from Capital One in the mail or via email.
If you think you are eligible but didn’t receive a notice (or lost it), you can contact the Settlement Administrator at 855-604-1811 for help.
Valid claims require detailed documentation, including receipts, bank statements, voided checks and invoices.
The original deadline to file a valid claim in the Capital One case was Aug. 22. That deadline has been extended to Sept. 30.
The deadline for exclusion from the settlement in order to retain the right to pursue separate legal action was July 7.
A judge has given preliminary approval for the $180 million settlement. A final approval hearing was initially slated for Aug. 19 but was rescheduled to Sept. 8.
Assuming the settlement receives final approval then, and there are no appeals, checks could be sent out soon after. We’ll keep you updated as new information is made available.