Capital One Financial agreed to pay $190 million to settle a class-action lawsuit that customers filed against the firm after a hacker — purportedly a Seattle woman who had held a day job with Amazon Web Services — broke into its cloud-computing systems and stole their personal information.

Representatives for those customers, Capital One and AWS — the lender’s cloud provider — jointly asked Judge Anthony Trenga to pause proceedings while the court evaluates the agreement. The settlement will cover 98 million Americans, and Capital One said it is fully reserved for the amount.

“While Capital One and AWS deny all liability, in the interest of avoiding the time, expense and uncertainty of continued litigation, plaintiffs and Capital One have executed a term sheet containing the essential terms of a class settlement that, if approved by this court, will fully resolve all claims brought by plaintiffs,” according to a filing with the U.S. District Court for the Eastern District of Virginia. 

In July 2019, Capital One announced data from about 100 million people in the U.S. was illegally accessed. Federal authorities ultimately arrested Paige A. Thompson, a former Amazon cloud employee living in Seattle, for breaking into the bank’s server. 

Federal judge releases Capital One hacking suspect pending trial, but orders her to stay away from computers (2019)

“The key facts in this case have not changed since we announced the event in coordination with federal authorities more than two years ago: the hacker was arrested and the stolen data was simultaneously recovered before it could be disseminated or used for fraudulent purposes,” Capital One said in an emailed statement Thursday. “We are pleased to have reached an agreement that will resolve the consumer class litigation in the U.S.”

Advertising

In court, attorneys for Thompson contend she sought a bounty payment from Capital One after identifying a vulnerability in the company’s system. Such payments to “white hat” hackers are common practice.

When Capital One did not pay, Thompson posted code related to the vulnerability online and copied personal information provided by 100 million people who had applied for Capital One credit cards, federal prosecutors allege.

Thompson’s attorneys contend prosecutors have attempted to penalize her for conduct that is not in fact criminal, like examining public-facing servers for security flaws or using the “dark web.” They’ve asked a federal judge in Seattle to dismiss the most serious of the 10 counts Thompson faces. Her trial, currently scheduled for March, has been repeatedly delayed.

Capital One has remained one of the financial industry’s earliest and biggest proponents of cloud technology, and last year finished exiting its data centers. The McLean, Virginia-based firm, which also has been investing in cybersecurity, last year poached Andy Ozment from Goldman Sachs to become one of its leading information-security executives.