Capital One (COF) was hit with a lawsuit on Tuesday accusing it of serious “security failures,” less than 24 hours after it disclosed a hack that exposed the personal data of 100 million people in the U.S. and 6 million more in Canada.
The proposed class action was filed in federal court in Washington, D.C. on behalf of Capital One customers whose data was breached. It accused the bank of negligence for failing to safeguard personal data including Social Security numbers.
As evidence of this alleged negligence, the lawsuit claims that Capital One had “ample warnings of weaknesses and risks to its systems” stemming from multiple past security breaches. For example, the complaint says, in January 2018 Capital One suffered a data breach that exposed 50GB of “highly sensitive information” that put the network at risk.
The bank has also issued letters to customers three times in 2017 and once in 2014 informing them that their data might have been breached, the suit claimed.
‘Capital One acted fairly quickly’
On Monday, Capital One revealed the data theft affected roughly 100 million customers in the U.S. and 6 million in Canada. The alleged culprit for the breach is a 33-year-old software engineer named Paige Thompson, a former employee of Amazon Web Services (AMZN), which hosts the Capital One database that was breached.
The lawsuit filed Tuesday — and the ones that will inevitably follow – may face challenges because early news reports suggest that Thompson did not actually do anything nefarious with the information she stole.
“Lawsuits could face obstacles because early reporting suggests that the alleged culprit had not yet distributed or used the personal data she stole,” William McGeveran, a professor at the University of Minnesota’s Law School, told Yahoo Finance. “So, it may be difficult for consumers to show they were harmed.”
Another factor that could influence the outcome of the lawsuit is how quickly Capital One notified customers once it became aware of the breach.
“My sense is that Capital One acted fairly quickly,” said Mark Bartholomew, a cyberlaw expert professor at the University at Buffalo’s School of Law.
In contrast, credit bureau Equifax (EFX) knew about its own massive data breach back in 2017 for a month before it alerted customers, according to The New York Times. This month, the credit bureau revealed that it was paying $650 million to resolve most of the legal fallout from the breach — the largest-ever such settlement.
If Capital One does end up settling with consumers, Bartholomew said, it would probably be for less money because the claims likely wouldn’t be as egregious.
‘This type of identity theft is the most harmful’
The data that was stolen from Capital One largely included information collected when people and businesses apply for credit cards, such as addresses, dates of birth, and self-reported income. The bank said 140,000 Social Security numbers were compromised, as were 1 million Social Insurance Numbers, Canada’s equivalent of a Social Security number.
“The United States Government Accountability Office noted in a June 2007 report on Data Breaches ... that identity thieves use identifying data such as Social Security Numbers to open financial accounts, receive government benefits and incur charges and credit in a person’s name,” Tuesday’s lawsuit pointed out. “As the GAO Report states, this type of identity theft is the most harmful because it often takes some time for the victim to become aware of the theft, and the theft can impact the victim’s credit rating adversely.”
Amazon Web Services was not named as a defendant. As Bartholomew noted, data holders such as Amazon typically do not face liability in cases. Amazon also likely had a contract with Capital One stating that the bank would be liable for any data breaches, he said.
Capital One did not provide immediate comment on the lawsuit.
Erin Fuchs is deputy managing editor at Yahoo Finance.