The Capital One $190 million data breach settlement represents one of the largest cybersecurity-related class action settlements in U.S. history. In July 2019, Capital One disclosed that approximately 98 million people had their personal financial data stolen due to a misconfigured firewall on the company’s Amazon Web Services infrastructure. The breach exposed sensitive information including names, addresses, Social Security numbers, bank account numbers, dates of birth, credit scores, and payment histories.
The settlement was finalized on September 13, 2022, and direct compensation payments began on September 28, 2023. If you were a Capital One customer affected by this breach, you may have already received compensation, but important details about claiming your share and understanding the remaining benefits still matter. This article explains what happened, how much people could claim, whether claims are still being processed, and what identity defense protections remain available to affected individuals. The breach also led to additional scrutiny of Capital One’s business practices, resulting in a separate $425 million settlement in 2025 addressing deceptive interest-rate practices—showing that the consequences of the original security failure extended far beyond the data breach itself.
Table of Contents
- How Did Capital One’s Massive Data Breach Occur and Who Was Behind It?
- What Sensitive Personal and Financial Information Was Stolen in the Breach?
- What Compensation Was Available Under the $190 Million Settlement?
- How Could Affected Individuals Claim Compensation from the Settlement?
- Why Monetary Compensation Claims Are No Longer Being Accepted in 2025
- The 2025 Capital One Settlement: A Second Major Judgment About Deceptive Practices
- What Remains Active: Identity Defense Services and the Ongoing Protection Window
How Did Capital One’s Massive Data Breach Occur and Who Was Behind It?
On July 29, 2019, Capital One announced it had been the victim of a significant data breach caused by what the company described as a “misconfiguration” of its cloud-based firewall on Amazon Web Services (AWS) infrastructure. The breach was not the result of sophisticated zero-day exploits or nation-state-level attacks; instead, it stemmed from inadequate security configuration of basic infrastructure, a failure that some security experts viewed as a significant oversight for a major financial institution. The attacker was identified as Paige A.
Thompson, a former Amazon Web Services employee based in Seattle. Thompson exploited the misconfigured firewall to gain unauthorized access to Capital One’s systems and extract the personal and financial data of approximately 98 million individuals and small businesses. The technical simplicity of the attack—exploiting a configuration error rather than a software vulnerability—highlighted how even large corporations can have critical security gaps if proper monitoring and hardening practices aren’t in place. This case became a cautionary example used by security professionals when discussing why basic infrastructure security and regular configuration audits matter as much as sophisticated threat detection.
What Sensitive Personal and Financial Information Was Stolen in the Breach?
The data compromised in the capital One breach was extensive and included categories of information that put victims at heightened risk for identity theft and financial fraud. According to Capital One’s official disclosure and the settlement documents, the stolen data included names, addresses, zip codes, phone numbers, email addresses, dates of birth, and self-reported income information from millions of individuals. Most critically, the breach exposed financial information that could be used for identity theft or unauthorized credit applications. This included credit scores, credit limits, account balances, and payment histories.
The breach also compromised 120,000 Social Security numbers and 80,000 linked bank account numbers—the most sensitive pieces of information for identity theft purposes. For a significant portion of the affected population, the combination of personal identifiers and financial account details meant they faced years of heightened risk for fraudulent activity, even after notification of the breach. Unlike some data breaches where information is stolen but not immediately monetized, the concern with the Capital One breach was the broad scope and combination of data elements. While Capital One stated there was no evidence the compromised data was used for identity theft after the breach, the mere exposure of SSNs and bank account numbers justified the settlement’s substantial compensation for identity defense services.
What Compensation Was Available Under the $190 Million Settlement?
The $190 million settlement created multiple pathways for compensation, reflecting both direct financial harm and the time and effort victims would need to spend monitoring their accounts and addressing potential identity theft. The settlement provided up to $25,000 in direct reimbursement for individuals who could document out-of-pocket losses directly caused by the breach. These losses might include fraudulent charges, credit monitoring services they purchased, or costs associated with addressing identity theft incidents. Beyond direct reimbursement, the settlement also offered compensation for time and inconvenience.
Affected individuals could claim up to 15 hours of lost time at $25 per hour (totaling $375) for the burden of dealing with the breach—time spent checking credit reports, disputing fraudulent charges, placing fraud alerts, or making calls to financial institutions. For the majority of affected individuals who did not suffer direct fraudulent losses, this time-based compensation and the free identity defense services represented the practical benefit of the settlement. The centerpiece of the settlement’s consumer protection was free enrollment in up to 5 years of Identity Defense Services, which was extended through February 13, 2028. This service included credit monitoring, dark web scanning for stolen information, identity restoration assistance, and legal referrals in case of identity theft. This benefit remained active even after the monetary compensation claims closed, providing continued protection to affected individuals during the highest-risk period following a data breach.
How Could Affected Individuals Claim Compensation from the Settlement?
Claiming compensation from the settlement required participation in the class action process, which began after the settlement received final court approval on September 13, 2022. The Capital One settlement administrators established a dedicated website (capitalonesettlement.com) where affected individuals could file claims for direct reimbursement and time-based compensation. To claim direct reimbursement of up to $25,000, claimants needed to document their out-of-pocket losses with receipts, statements, or other proof of payment. This might include charges for credit monitoring services they purchased, costs of credit freezes or fraud alerts, or documentation of fraudulent transactions.
For the time-based compensation, claimants could submit claims describing the hours spent dealing with the breach, though the settlement capped this at 15 hours regardless of actual time spent. The claim process was designed to be accessible to individuals without requiring them to hire attorneys, though the amount of documentation needed for direct reimbursement claims meant that some individuals chose to work with settlement claim specialists. However, the claims window was time-limited. Settlement deadlines required claimants to submit their claims by specific dates to receive consideration, and the settlement administrators strictly enforced these deadlines. Anyone who missed the deadline was excluded from compensation, regardless of whether they were aware of the settlement or the claims process.
Why Monetary Compensation Claims Are No Longer Being Accepted in 2025
A critical development occurred at the end of 2024: all monetary compensation claims under the Capital One settlement were fully closed. As of 2025, no new claims are being accepted, and no check reissues are allowed. This means that individuals who did not file claims by the settlement’s deadline have no remaining pathway to receive direct reimbursement or time-based compensation from the $190 million fund. This closure is final, regardless of whether someone was unaware of the settlement, forgot to file, or encountered barriers to submitting a claim.
The settlement terms specified fixed deadlines for filing, and once the claims window closed and all valid claims were processed and paid, the money that remained unclaimed was distributed according to the settlement agreement. This situation is common in large class action settlements, and it highlights the importance of monitoring settlement notifications and acting within specified timeframes. For those who filed claims before the deadline, the good news is that all valid claims were paid. For those who missed it, the only remaining benefit from the Capital One data breach settlement is the free Identity Defense Services, which continues through February 13, 2028.
The 2025 Capital One Settlement: A Second Major Judgment About Deceptive Practices
The consequences of Capital One’s security and business failures extended beyond the data breach itself. In 2025, a separate $425 million settlement was reached addressing a different set of issues: deceptive interest-rate and fee practices by the company.
This additional settlement indicates that regulatory agencies and consumers’ legal representatives identified systematic problems with how Capital One conducted its lending and account management practices. While the $190 million settlement addressed the security failure, this second settlement examined the company’s practices in how it advertised and applied interest rates and fees to customer accounts. Together, the two settlements represented over $600 million in consequences for Capital One and highlighted how a major cybersecurity incident can expose companies to additional regulatory scrutiny and civil liability in other areas of business.
What Remains Active: Identity Defense Services and the Ongoing Protection Window
Although monetary compensation claims closed at the end of 2024, the identity defense benefits under the Capital One settlement remain active and valuable through February 13, 2028. This extended timeline is significant because identity theft risks are highest in the years immediately following a data breach, when stolen information may be exploited by criminals. The free identity defense services include credit monitoring, which alerts individuals to new accounts opened in their name or significant changes to their credit profile.
They also include dark web scanning, which notifies individuals if their personal information appears in compromised data repositories or criminal forums. Looking forward, the Capital One case continues to serve as a reference point in discussions about corporate responsibility for data breaches, the adequacy of settlements relative to actual harm, and the importance of cloud security infrastructure. As more companies migrate to cloud-based systems, the lessons from Capital One’s misconfigured firewall remain relevant to corporate security practices.