Capital One Data Breach Litigation Continues – All Preventable

It’s old news that on July 19, 2019, Capital One Bank learned that a cyber-criminal gained access to 14 years of credit card holder and applicant information. Within two weeks, the FBI arrested 33-year-old Paige Thompson for hacking the Capital One servers and stealing data of over 100 million individuals located in the USA and Canada. Fortunately, Capital One and law enforcement believe that the data was recovered prior to the sharing or sale on the dark web. Unfortunately, this favorable outcome does not prevent lawsuits and now, Capital One faces 15 different civil claims in federal district court.

Pending in the United States District Court for the Eastern District of Virginia, In re Capital One Consumer Data Sec. Breach Litig., before United States District Judge Anthony J. Trenga, Plaintiff's Amended Consumer Class Action Complaint ("Amended Complaint") names Capital One and Amazon Web Services (“AWS”) as defendants.

According to court documents, the cyber-attack originated from a Server-Side Request Forgery (“SSRF”) attack on the AWS cloud, in which Capital One stored sensitive consumer data. SSRF attacks are those in which the attacker supplies or modifies a URL to the web-based server that tricks the server into performing certain functions or providing internal information (such as access credentials). In short, SSRF exploits the virtual trust between the web application server and other applications with which the server communicates without the need for constant authentication.

Plaintiffs’ Amended Complaint alleges that Capital One knew of the possibility of SSRF attacks on AWS’s cloud but attempted to mitigate the threats by encrypting all data on the AWS servers. However, unauthorized access to the right credentials in the AWS cloud allowed the hacker access beyond the firewall protecting the cloud and automatically decrypted the data.

Furthermore, Capital One's logs showed the hacker's connections or attempted connections to the AWS server in March and April 2019—four months before Capital One investigated. Thompson’s criminal complaint alleges that she stole approximately 1.75 terabytes of data on March 22-23, 2019; accessed Capital One's network on five (5) further instances over a three-month period; and publicly posted instructions on how she carried out the SSRF attack on Github.

Plaintiffs alleged damages include “mitigation efforts or expenses (such as time and money spent placing credit freezes on their accounts, setting up credit alerts, and purchasing credit monitoring), diminution in the value of their personal information, and increased risk of future identity theft or other fraud.” Seven plaintiffs suffered identity theft as a result of the breach.

In response to the Plaintiffs’ allegations, AWS and Capital One filed several motions to dismiss, most of which were denied (meaning the claims will proceed towards final adjudication with the court):

1. Count 1 (negligence), the negligence claims under the laws of Washington are dismissed; and the Motions are otherwise denied;

2. Count 2 (negligence per se), the negligence per se claims under the laws of California, Florida, Texas, Virginia, and Washington are dismissed; and the Motions are otherwise denied;

3. Count 3 (unjust enrichment), the Motions are denied;

4. Count 4 (declaratory judgment), the Motions are denied;

5. Count 5 (breach of confidence), the breach of confidence claims under the laws of California, New York, Texas, Virginia, and Washington are dismissed; and the Motions are otherwise denied;

6. Count 6 (breach of contract), the Capital One Motion is denied;

7. Count 7 (breach of implied contract), the Capital One Motion is denied;

8. Count 8 (California Unfair Competition Law), the Motions are denied;

9. Count 9 (California Consumer Legal Remedies Act), the Motions are denied;

10. Count 10 (Florida Deceptive and Unfair Trade Practices Act), the claim against Capital One is dismissed as abandoned; and the Motions are otherwise denied;

11. Count 11 (New York General Business Law)the Motions are denied;

12. Count 12 (Texas Deceptive Trade Practices Act—Consumer Protection Act), the Motions are denied;

13. Count 13 (Virginia Personal Information Breach Notification Act), the Motions are denied;

14. Count 14 (Washington Data Breach Notification Act), the Motions are denied; and

15. Count 15 (Washington Consumer Protection Act), the Motions are denied.

With more than 15 different claims, Capital One faces an expensive litigation that threatens the viability of the bank – all of which could likely have been prevented by consistent log audits and not willfully ignoring known vulnerabilities of its service providers. Let this story be a lesson that neglecting audit log reviews and ignoring known security flaws may land your business in federal court.