Capital One customers who had their confidential data compromised in a massive privacy breach in 2019 will be able to seek damages in court. A Quebec Superior Court judge on Tuesday authorized a class action against Capital One Bank, Amazon Inc. and several of their subsidiaries.
Judge Bernard Tremblay recognized as plaintiff Michael Rodier and authorized the firm Consumer Law Group to represent on his behalf all consumers against two groups of defendants, on the one hand, the Canadian subsidiary of Capital One Bank, Capital Financial Corporation and Capital One Bank (USA) National Association, and, on the other hand, Amazon.com inc., Amazon.com.ca inc., Amazon Web Services Canada inc., Amazon Web Services inc. and Amazon Technologies Inc.
Amazon is being sued because Capital One outsourced the cloud storage of its banking data to it in 2015 and it was an American employee of the e-commerce giant who was behind the breach of confidentiality.
Justice Tremblay referred to the class of plaintiffs as: “All persons, entities or organizations who reside in Quebec and who have held a credit card issued by Capital One” or who have applied for one “and whose personal information has made subject to unauthorized access on March 22 and 23, 2019”.
The information compromised and made accessible included names, addresses, telephone numbers, dates of birth, social insurance numbers and other data constituting the credit file of millions of individuals concerned, recalls Judge Tremblay. In Canada, it is estimated that approximately one million social insurance numbers have been compromised.
In the lawsuit that will follow, the plaintiffs seek monetary damages not yet quantified, compensation for expenses related to monitoring their credit since 2019 and in the future, as well as punitive damages.
The plaintiffs criticize Capital One and Amazon for their negligent and reckless conduct with respect to the confidentiality of the personal information they had a duty to protect.
In particular, they accuse the defendants of having been slow to act when the breach of confidentiality became known. Plaintiffs say the vulnerability in Amazon’s system was reported internally on April 14, 2019 (three weeks after the break-in by Amazon employee Paige A. Thompson) and that Capital One did not report it. discovered only on July 17, 2019 following a communication by a third party.
The plaintiffs also accuse Capital One of having delayed informing its customers of the intrusion, then of having offered only two years of free banking supervision by Equifax and TransUnion, when the intrusion may raise fears of fraud well after. expiry of this measure.
On these two specific topics, the defendants plead no damage: “the evidence offered at the authorization stage reveals that even if she succeeded in obtaining access to members’ personal information collected by Capital One and then housed in a space public cloud computing made available to them and managed by Amazon, Paige A. Thompson did not, as was established during her criminal trial held in the United States, communicate this information to a third party, nor make any use of it. ci, so that neither the plaintiffs nor the putative members suffered identity theft and likely never will,” writes Justice Tremblay, summarizing the position of Capital One and Amazon.
She pleaded guilty in September 2022 and was sentenced to time already served plus five years probation. Rarely, the state attorney, who was asking for seven years in prison, had criticized this sentence as being too lenient.
The breach of security confidentiality at Capital One has sparked numerous class action demands, in Canada and the United States.
It could prompt other actions since the judge observes that Capital One and Amazon blame each other. “There is little or no doubt that litigation will eventually arise between Amazon and Capital One, if it has not already, in the event that a class action is authorized against Capital One” , wrote Justice Tremblay in his decision.