Your guide to a better future
Final approval on the multimillion-dollar payout was granted this month, and the deadline to file a claim is quickly approaching.
Dan is a writer on CNET’s How-To team. His byline has appeared in Newsweek, NBC News, The New York Times, Architectural Digest, The Daily Mail and elsewhere. He is a crossword junkie and is interested in the intersection of tech and marginalized communities.
After nearly 100 million customers’ information was exposed in a , Capital One has agreed to a $190 million settlement to resolve a class-action negligence lawsuit. The deal received final approval on Sept. 8 and the deadline to file a claim — and get a piece of the payout — is swiftly approaching.
Plaintiffs in the case argued that convicted hacker Paige Thompson couldn’t have accessed Capital One’s Amazon-hosted cloud computing systems if adequate cybersecurity protections were in place. The bank “knew of the particular security vulnerabilities that permitted the data breach” according to their complaint, filed in the US District Court for the Eastern District of Virginia, but did nothing to rectify them. Its negligence put millions of people at risk for fraud and identity theft, they claimed.
Capital One didn’t respond to a request for comment. The company has denied any wrongdoing and, in a statement, said it was agreeing to the payout “in the interest of avoiding the time, expense and uncertainty of continued litigation.”
Here’s what you need to know about the Capital One settlement, including how to find out if you’re eligible for a check, how much money you could receive and how to file a claim.
For more on class-action cases, find out if you’re eligible for money from T-Mobile’s $350 million data breach case, Apple’s $14.8 million iCloud storage settlement or Sara Lee’s
In one of the largest financial security breaches in US history, a hacker accessed the personal information of about 106 million Capital One customers and applicants in March 2019. The massive attack went undiscovered until July 2019.
Capital One said about 140,000 Social Security numbers and 80,000 US bank account numbers were exposed, as well as birth dates, addresses, phone numbers, credit balances, transactions and credit scores. No login information or credit card account numbers were obtained, the bank said, though one million Canadian credit card customers and applicants had their Social Insurance Numbers revealed, as well.
Seattle engineer Paige Thompson, a former Amazon cloud employee, was ultimately arrested in connection with the cyberattack. In June 2022, she was convicted of wire fraud and unauthorized access and damage to a protected computer. Thompson illegally gained access to personal information related to credit card applications dating between 2005 and early 2019 for both personal and small-business accounts, Capital One said.
“With some of her illegal access, she planted cryptocurrency mining software on new servers with the income from the mining going to her online wallet,” the Department of Justice said in a release, adding that Thompson used an alias to brag on social media and online forums about masterminding the attack.
Capital One was also fined $80 million and has agreed to enhance its cloud security standards. The corporation said, when it became aware of the breach, it immediately fixed its servers’ vulnerability to forged requests.
Some 98 million applicants and cardholders are eligible to file a valid claim, according to Capital One, which said it sent letters and emails to members whose Social Security numbers or bank account numbers were exposed in the hack.
If you think you’re eligible but did not receive a notice, contact the settlement administrator at 855-604-1811 for assistance.
About 140,000 Social Security numbers and 80,000 Capital One account numbers were exposed, along with birth dates, addresses, phone numbers, credit balances, bank transactions and credit scores.
Class members can collect up to $25,000 in cash for lost time and out-of-pocket expenditures relating to the breach, including unreimbursed fraud charges, money spent preventing identity theft and fees to professional data security services.
You can claim up to 15 hours of lost time spent addressing the issue, at a rate of at least $25 per hour.
The settlement also provides three years of free identity protection services through the Pango Group, including identity monitoring, lost wallet protection, security freeze capabilities, dark-web monitoring, free account restoration, and $1 million in identity theft and fraud insurance.
You can file online at the class-action settlement website. You’ll need the Unique ID and PIN printed on the notice you received from Capital One in the mail or via email, along with detailed documentation, including receipts, bank statements, voided checks and invoices. (If you lost your notice or never received one, contact the settlement administrator at 855-604-1811.)
You can also print out a paper claim form and mail it in, along with any supporting documentation, to the settlement administrator at:
Capital One Data Breach
P.O. Box 4518
Portland, OR 97208–4518
The original deadline to file a valid claim in the Capital One case was Aug. 22 but that deadline has been extended to Sept. 30, 2022.
The deadline for exclusion from the settlement in order to retain the right to pursue separate legal action expired on July 7.
The settlement was given final approval on Sept. 8, but there may still be appeals that slow the process down. The settlement administrator will notify claimants about the timeline for payments.
Payments will be made by either direct deposit or paper check, depending on the method selected.