In 2019, Capital One suffered a massive data breach exposing the sensitive personal and financial information of **100 million customers**, including Social Security numbers (SSNs), bank account details, credit scores, and transaction data. The breach stemmed from a misconfigured firewall in the bank’s cloud infrastructure, exploited by a hacker who gained unauthorized access. Beyond the immediate data exposure, the incident eroded public trust, triggered regulatory scrutiny, and led to a **$425 million class-action settlement**—one of the largest in U.S. banking history. The settlement addressed both the breach and allegations of deceptive marketing tied to the bank’s **360 Savings accounts**, where customers claimed they received lower interest rates than advertised. The fallout included financial restitution ($300M in cash payments, $125M in interest adjustments), reputational damage, and heightened compliance demands. The breach underscored systemic vulnerabilities in financial institutions’ cybersecurity practices, particularly in securing cloud-based customer data.
Source: https://theboronewspaper.com/capital-one-settlement-2025/
TPRM report: https://www.rankiteo.com/company/capital-one
"id": "cap5092250102525",
"linkid": "capital-one",
"type": "Breach",
"date": "6/2019",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '100,000,000+ (U.S. and Canada)',
'industry': 'Financial Services',
'location': 'McLean, Virginia, USA',
'name': 'Capital One Financial Corporation',
'size': 'Fortune 500 company (100M+ customers '
'affected)',
'type': 'Banking Institution'},
{'customers_affected': 'Eligible account holders '
'between September 18, 2019, and '
'June 16, 2025',
'location': 'USA',
'name': 'Capital One 360 Savings Account Holders',
'type': 'Customers'}],
'attack_vector': 'Misconfigured Web Application Firewall (WAF) on AWS cloud '
'infrastructure',
'customer_advisories': ['Eligible customers automatically enrolled; no claim '
'filing required',
'Direct deposits or checks issued post-approval '
'(early 2026)',
'Warning against phishing scams impersonating '
'settlement administrators'],
'data_breach': {'data_encryption': 'No (data stored in unencrypted S3 '
'buckets)',
'data_exfiltration': 'Yes (data stolen and partially leaked '
'online)',
'file_types_exposed': ['PDFs', 'CSV files', 'Database dumps'],
'number_of_records_exposed': '100,000,000+ (U.S. and Canada)',
'personally_identifiable_information': 'Yes (names, '
'addresses, SSNs, '
'dates of birth)',
'sensitivity_of_data': 'High (SSNs, bank account details, '
'credit scores)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Financial Data',
'Credit History',
'Transaction Records']},
'date_detected': '2019-07-19',
'date_publicly_disclosed': '2019-07-29',
'description': 'The Capital One $425M class action settlement addresses a '
'2019 data breach that compromised 100 million customers’ '
'sensitive data, including SSNs, credit information, and '
'account details. The settlement also resolves allegations of '
"unfair industry rate practices related to the bank's 360 "
'savings accounts, where customers allegedly received '
'lower-than-advertised rates. Eligible customers (those with '
'active 360 savings accounts between September 2019 and June '
'2025) are entitled to compensation through direct deposits or '
'checks, with a total settlement fund of $425M allocated as '
'$300M for cash payments and $125M for increased interest. The '
'settlement is pending final court approval (hearing scheduled '
'for November 6, 2025), with distributions expected in early '
'2026.',
'impact': {'brand_reputation_impact': 'Severe damage due to breach and '
'subsequent allegations of unfair '
'practices; loss of customer trust',
'customer_complaints': 'Widespread complaints regarding misleading '
'marketing practices for 360 savings '
'accounts (lower-than-advertised interest '
'rates)',
'data_compromised': ['Social Security Numbers (SSNs)',
'Credit Scores',
'Transaction Data',
'Bank Account Numbers',
'Personal Identifiable Information (PII)',
'Credit Card Application Data (2005-2019)'],
'financial_loss': '$425M (settlement amount)',
'identity_theft_risk': 'High (due to exposure of SSNs and PII)',
'legal_liabilities': ['$425M class action settlement',
'Potential regulatory fines (e.g., CFPB, '
'OCC)',
'Ongoing litigation from state attorneys '
'general (e.g., New York)'],
'operational_impact': 'Significant reputational damage; regulatory '
'scrutiny; customer trust erosion; legal and '
'compliance costs',
'payment_information_risk': 'High (bank account numbers and credit '
'card data exposed)',
'systems_affected': ['AWS Cloud Infrastructure',
'Capital One Credit Card Application System',
'Customer Savings Accounts (360 Savings)']},
'initial_access_broker': {'backdoors_established': 'Yes (persistent access to '
"Capital One's cloud "
'servers)',
'data_sold_on_dark_web': 'Partial (some data shared '
'on GitHub and online '
'forums)',
'entry_point': 'Misconfigured AWS Web Application '
'Firewall (WAF)',
'high_value_targets': ['Credit card application '
'data (2005-2019)',
'360 Savings account holder '
'PII'],
'reconnaissance_period': '2019-03 to 2019-07 '
'(Thompson exploited '
'vulnerability for '
'months)'},
'investigation_status': 'Closed (breach investigation completed; settlement '
'pending final court approval on November 6, 2025)',
'lessons_learned': ['Critical importance of cloud security configurations '
'(e.g., AWS S3 bucket permissions)',
'Need for continuous monitoring and auditing of '
'third-party infrastructure',
'Transparency in marketing practices to avoid customer '
'distrust',
'Proactive incident response and customer communication '
'strategies'],
'motivation': ['Financial Theft',
'Fraud',
'Exploitation of Misconfigured Systems'],
'post_incident_analysis': {'corrective_actions': ['Overhauled cloud security '
'posture (e.g., automated '
'permission reviews)',
'Launched customer '
'compensation program '
'($425M settlement)',
'Enhanced transparency in '
'interest rate disclosures',
'Expanded cybersecurity '
'team and incident response '
'capabilities'],
'root_causes': ['Inadequate cloud security '
'controls (AWS S3 bucket '
'misconfiguration)',
'Lack of real-time monitoring for '
'anomalous access',
'Over-reliance on third-party '
'(AWS) without sufficient '
'oversight',
'Misleading marketing practices '
'for 360 savings accounts '
'(contributed to lawsuit)']},
'recommendations': ['Implement zero-trust architecture for cloud environments',
'Regular penetration testing and red team exercises',
'Enhance employee training on secure coding and access '
'controls',
'Establish clearer internal policies for interest rate '
'disclosures',
'Strengthen partnerships with law enforcement for threat '
'intelligence sharing'],
'references': [{'date_accessed': '2025-10-01',
'source': 'Capital One Settlement Official Website',
'url': 'https://www.capitalonesettlement.com/'},
{'date_accessed': '2019-07-29',
'source': 'U.S. Department of Justice (Paige Thompson '
'Indictment)',
'url': 'https://www.justice.gov/usao-wdwa/pr/seattle-woman-charged-capital-one-data-breach'},
{'date_accessed': '2020-08-06',
'source': 'OCC Consent Order (2020)',
'url': 'https://www.occ.gov/news-issuances/news-releases/2020/nr-occ-2020-108.html'},
{'date_accessed': '2025-09-15',
'source': 'New York Attorney General Press Release',
'url': 'https://ag.ny.gov/press-release/2025/attorney-general-james-secures-425m-capital-one-over-data-breach-and'}],
'regulatory_compliance': {'fines_imposed': '$80M (OCC fine in 2020) + $425M '
'settlement',
'legal_actions': ['Class action lawsuit (settled in '
'2025)',
'Criminal charges against Paige '
'Thompson (2022 conviction)',
'Ongoing scrutiny by state '
'attorneys general (e.g., New '
'York)'],
'regulations_violated': ['Gram-Leach-Bliley Act '
'(GLBA)',
'New York Department of '
'Financial Services '
'(NYDFS) Cybersecurity '
'Regulation',
'Potential violations of '
'Federal Trade Commission '
'(FTC) Act (misleading '
'marketing practices)'],
'regulatory_notifications': ['OCC',
'CFPB',
'State Attorneys '
'General',
'FBI']},
'response': {'communication_strategy': ['Public disclosure (2019)',
'Dedicated settlement website '
'(https://www.capitalonesettlement.com/)',
'Direct notifications to eligible '
'customers (2025)',
'FAQs and customer support channels'],
'containment_measures': ['Isolated affected AWS servers',
'Revoked unauthorized access',
'Patched misconfigured WAF'],
'enhanced_monitoring': 'Yes (continuous threat detection for '
'cloud environments)',
'incident_response_plan_activated': 'Yes (immediate containment '
'and FBI notification)',
'law_enforcement_notified': 'Yes (FBI arrested threat actor '
'Paige Thompson in 2019)',
'network_segmentation': 'Implemented post-breach',
'recovery_measures': ['$425M settlement fund (2025)',
'Automated compensation for eligible '
'customers',
'Increased interest payments for affected '
'savings accounts'],
'remediation_measures': ['Enhanced cloud security controls',
'Multi-factor authentication (MFA) '
'enforcement',
'Customer notification and credit '
'monitoring services (2019)'],
'third_party_assistance': ['Amazon Web Services (AWS)',
'Cybersecurity Forensics Firms',
'Legal Counsel']},
'stakeholder_advisories': ['Customers advised to update payment details by '
'October 2, 2025',
'Investors notified of financial impact in SEC '
'filings',
'Regulators provided periodic updates on '
'remediation progress'],
'threat_actor': {'alias': 'erratic',
'motivation': ['Financial Gain', 'Notoriety'],
'name': 'Paige A. Thompson',
'nationality': 'American'},
'title': 'Capital One Data Breach and Class Action Settlement (2019-2025)',
'type': ['Data Breach', 'Class Action Lawsuit', 'Regulatory Non-Compliance'],
'vulnerability_exploited': "Improper access controls in Capital One's "
'cloud-based firewall (AWS S3 bucket '
'misconfiguration)'}