Capital One reached a $190 million class action settlement in connection with a massive 2019 data breach that exposed personal information belonging to approximately 98 million U.S. consumers. This settlement represents one of the largest payouts related to a data breach and provides eligible consumers with direct compensation for out-of-pocket losses, free identity theft protection services, and reimbursement for time spent addressing the breach. If you held a Capital One credit card, bank account, or other financial product before the breach was discovered in July 2019, you may be entitled to claim compensation under this settlement.
The breach itself was significant in scope and severity. Paige A. Thompson, a former Amazon Web Services software engineer, gained unauthorized access to Capital One’s systems and exposed sensitive personal information including approximately 140,000 Social Security numbers, 80,000 linked bank account numbers, and a broader set of data including names, postal codes, birth dates, self-reported income, credit scores, credit limits, account balances, and payment histories. Thompson was subsequently indicted on federal charges of wire fraud and computer fraud and abuse. The combination of the massive number of affected consumers, the types of information exposed, and the identity risks created by the breach made this settlement a priority for Capital One and led to substantial compensation being made available to affected individuals.
Table of Contents
- WHAT HAPPENED IN THE CAPITAL ONE DATA BREACH AND WHEN?
- SETTLEMENT AMOUNT AND HOW THE MONEY IS DISTRIBUTED
- FREE IDENTITY THEFT PROTECTION AND MONITORING SERVICES
- HOW TO FILE A CLAIM AND WHAT DOCUMENTATION IS REQUIRED
- IMPORTANT DEADLINES AND LIMITATIONS YOU NEED TO KNOW
- WHO PERPETRATED THE BREACH AND HOW IT HAPPENED
- LESSONS FROM THE CAPITAL ONE BREACH AND INDUSTRY CHANGES
WHAT HAPPENED IN THE CAPITAL ONE DATA BREACH AND WHEN?
Capital One discovered the unauthorized access to its systems in July 2019 and immediately began working with law enforcement and security experts to investigate the incident. The company’s security team identified that an attacker had accessed customer information stored on Cloud infrastructure. The breach was concerning because of both the number of customers affected and the sensitivity of the data exposed. Unlike some data breaches where only email addresses or phone numbers are compromised, the Capital One breach exposed financial information and government identifiers that criminals could use for identity theft or fraud.
The breach discovery triggered a cascade of notifications and regulatory actions. Capital One had to notify affected customers, law enforcement agencies, and state regulators. The company faced multiple lawsuits from affected consumers who claimed the data breach resulted from inadequate security practices and that they suffered damages as a result. These lawsuits were consolidated into a class action proceeding where all eligible consumers could potentially recover without having to file individual lawsuits. The breach also raised questions about how cloud-based financial institutions manage customer data security, particularly given that the perpetrator had insider knowledge of AWS infrastructure.
SETTLEMENT AMOUNT AND HOW THE MONEY IS DISTRIBUTED
The $190 million settlement was approved preliminarily on February 7, 2022, and received final approval from the court on September 13, 2022. This amount represents the total fund available to compensate affected consumers and pay for settlement administration costs and attorneys’ fees. However, not all of the $190 million goes directly to consumers—portions are allocated for claims administration, legal fees, and the cost of providing identity theft protection services through February 13, 2028. This is an important distinction because the actual amount available for individual claimant payouts depends on how many people file claims and what types of losses they document.
Individual claimants can receive up to $25,000 per person in compensation for documented out-of-pocket losses and time spent addressing the breach. Out-of-pocket losses include expenses like credit monitoring services, identity theft restoration costs, unreimbursed fraudulent charges, and other documented financial damages directly caused by the breach. For time spent dealing with the breach consequences, claimants can be reimbursed up to 15 hours at $25 per hour. This means the maximum time-based compensation is $375, though actual payment varies based on documented time. The settlement also provides that consumers who suffered out-of-pocket losses in excess of $25,000 may be able to recover additional amounts from a separate recovery fund, though such claims require extensive documentation and are subject to limitations.
FREE IDENTITY THEFT PROTECTION AND MONITORING SERVICES
One of the most valuable benefits included in the settlement is five years of complimentary identity theft protection services through Pango (branded as Identity Defense Services), available through February 13, 2028. This benefit is provided to all settlement class members automatically, even if they do not submit a claim for direct compensation. The identity monitoring services typically include credit monitoring, dark web monitoring, identity theft insurance, and restoration support if fraud is detected. Given that the breach exposed Social Security numbers and financial account information, having professional monitoring in place provides meaningful protection for affected individuals.
The availability of free identity theft protection helps address one of the ongoing risks created by the breach. When Social Security numbers and bank account information are exposed, criminals can use this data years later to commit fraud. By providing five years of monitoring, the settlement gives consumers protection during the period when the exposed information poses the greatest risk. However, it’s important to note that five years is a finite period, and some experts recommend that consumers continue to monitor their credit and identity even after the complimentary service period ends. This represents a potential limitation of the settlement—the protection is strong but temporary, leaving consumers responsible for ongoing vigilance beyond 2028.
HOW TO FILE A CLAIM AND WHAT DOCUMENTATION IS REQUIRED
To receive direct compensation from the settlement, affected consumers must submit a claim through the official settlement website at www.CapitalOneSettlement.com. The claim process requires documentation of losses and time spent addressing the breach. For out-of-pocket losses, claimants need to provide receipts, invoices, or other proof of expenses incurred as a result of the breach—this might include bills for credit monitoring services purchased before the settlement, out-of-pocket fraud reimbursement for unauthorized transactions, or documented expenses related to identity theft restoration. For time-based compensation, claimants document the hours spent dealing with the breach consequences, such as hours spent on phone calls with banks, reviewing credit reports, disputing fraudulent charges, or monitoring accounts.
The settlement has distributed funds in multiple payment rounds. Initial payments began on September 28, 2023, with a second distribution round occurring on September 4, 2024. The timing of payments depends on when claims are submitted, validated, and processed. If you have not yet filed a claim, the settlement remains open for additional submissions, though the distribution process is ongoing. It’s worth comparing this to other data breach settlements where the claim period was much shorter or where compensation was only automatic; the Capital One settlement provides the flexibility of filing claims over time, but requires more documentation than some settlements that provide automatic payments to all affected consumers.
IMPORTANT DEADLINES AND LIMITATIONS YOU NEED TO KNOW
While the settlement provides substantial benefits, there are important deadlines and limitations that consumers need to be aware of. The deadline for submitting claims has passed for the initial payment rounds, but the settlement website will specify the current deadline for any remaining claim windows. If you’ve already received payments in the September 2023 or September 2024 distributions, your claim was processed. If you haven’t yet filed a claim, checking the settlement website for the current deadline is essential because missing the deadline could disqualify you from receiving compensation. Settlement deadlines are firm, and there are generally no extensions or second chances once the deadline passes.
Another limitation is that the maximum payout per claimant is capped at $25,000 for direct losses. If you suffered greater losses as a result of the breach—for example, if your identity was stolen and you incurred substantial restoration costs and fraud expenses—the settlement provides a process to request additional recovery, but this requires meeting specific criteria and proving unusual damages. Additionally, the free identity protection is limited to five years, ending in February 2028. After that date, consumers will need to purchase their own identity monitoring services or rely on free options offered by banks and credit card issuers. The settlement does not cover any costs or claims related to events that occurred more than a few years after the breach was disclosed, which is a limitation for consumers who discover fraud or damage later.
WHO PERPETRATED THE BREACH AND HOW IT HAPPENED
Paige A. Thompson, a former Amazon Web Services software engineer, was identified as the person responsible for the data breach. Thompson exploited knowledge of AWS infrastructure and security configurations to gain unauthorized access to Capital One’s cloud-based systems. The ability to access 98 million customer records suggests that the attacker was able to navigate Capital One’s cloud environment and potentially escalated privileges within the systems. Thompson was indicted on federal charges of wire fraud and computer fraud and abuse, with prosecution handled through the federal justice system.
This criminal case proceeded separately from the civil settlement with consumers. The breach highlights a significant vulnerability: insiders with legitimate access to cloud infrastructure can pose substantial risks if they misuse that access. Thompson’s background as an AWS engineer meant that the person had technical expertise to understand how to navigate cloud systems, find databases with customer information, and exfiltrate large volumes of data. The incident prompted discussion within the financial services industry about better monitoring of employee activities, restricting data access based on job needs, and implementing additional security controls around sensitive customer data repositories. The fact that it took Capital One’s security team discovering the access through monitoring suggests that such breaches are often caught through defensive measures rather than through external reports.
LESSONS FROM THE CAPITAL ONE BREACH AND INDUSTRY CHANGES
The Capital One breach led to increased scrutiny of how financial institutions handle data security, particularly with respect to cloud-based storage and processing. Regulators became more focused on ensuring that companies implement proper security controls, conduct regular security assessments, and have incident response plans ready before a breach occurs. The settlement itself set a precedent for the scale of compensation that data breach victims could expect, influencing how companies evaluate the risks and costs of inadequate security. Since 2019, many financial institutions have invested heavily in additional security controls, employee background checks for sensitive roles, and monitoring systems designed to detect unauthorized data access.
The incident also reinforced the importance of identity theft protection for consumers in the digital age. As more sensitive personal information is stored electronically and accessed through cloud systems, the risk of large-scale breaches increases. The Capital One settlement’s inclusion of five years of free identity protection reflected recognition that affected consumers faced genuine ongoing risks. For consumers, the case demonstrated the value of monitoring financial accounts closely, responding quickly to credit reports or fraud alerts, and considering personal identity theft protection services as a prudent investment.
You Might Also Like
- T-Mobile $350 Million Data Breach Class Action Settlement
- T-Mobile $350 Million Customer Data Breach Class Action Settlement
- Panera Bread $2.5 Million Customer Data Breach Class Action Settlement
Open Settlements You Can Claim Now
Browse current class action settlements accepting claims — several require no proof of purchase: