In 2019, hackers were able to gain access to more than 100 million Capital One customer accounts and credit card applications, compromising the personal information of thousands of people across the U.S.
Now, those impacted by the breach have just a few weeks to claim their part of a $190 million settlement reached in a class-action lawsuit.
As part of the lawsuit, plaintiffs say Capital One’s cloud computing systems, which were hosted by Amazon, lacked adequate protections to stop hackers. Capital One and Amazon are listed as defendants in the lawsuit, and have denied wrongdoing and “that the information accessed by the attacker had been made public or disseminated by the attacker,” according to a website created for the settlement.
Capital One agreed to the $190 million settlement in December, and a U.S. federal court preliminarily approved it in February.
Originally, those who may qualify for the settlement had until Aug. 22 to file a claim. The deadline has now been extended to Sept. 30, CNET reports.
What happened in the breach?
While hackers had access to accounts in March 2019, the breach wasn’t made public until four months later in July.
The same month, former Seattle tech worker Paige A. Thompson was arrested after Capital One informed the FBI of her “hacking activity.” Federal authorities found Thompson was able to use a tool she created to scan Amazon Web Services accounts looking for misconfigured accounts.
She then used those accounts to hack and download data from over two dozen entities, including Capital One. The U.S. Department of Justice accused her of posting about her theft on sharing site GitHub.
Earlier this year, Thompson was convicted of wire fraud and computer intrusions. She is scheduled to be sentenced in September.
Capital One says it has since addressed the flaw in its system and agreed, as part of the settlement, to “adopt, pay for, implement, and maintain extensive Business Practice Commitments related to information security for a period of at least two (2) years.”
Are you eligible for payment in the settlement?
Roughly 98 million Americans are eligible for a cash payment in the settlement, according to Capital One. The bank says it has sent a notice to those who “are likely a member of the Settlement Class.” You can also call 1-855-604-1811 to confirm your eligibility.
Anyone who already chose to opt-out of the settlement does not qualify to receive a payment.
How to file a claim
If you are an eligible member of the settlement class, Capital One says you can file a claim to be reimbursed up to $25,000 in cash for lost time (up to 15 hours at a rate of at least $25 an hour) and out-of-pocket costs relating to the breach. This includes fraud charges, money you spent to prevent identity theft, and fees to address identity theft, fraud or falsified tax returns.
Additionally, you can submit a claim to enroll in at least three years of Identity Defense Services through the Pango Group at no cost.
Claims must be filed online or mailed in by September 30, 2022. You will need the Unique ID and PIN included in the notice Capital One sent via mail or email. If you haven’t received a notice, or misplaced yours, you can call a Settlement Administrator at 1-855-604-1811 for assistance.
According to Capital One, if you are requesting reimbursement for out-of-pocket losses and/or lost time, you will need to provide additional, detailed information to qualify.
Because final approval for the settlement is still pending — a hearing is scheduled for September 8 — it’s unclear when exactly payments will be sent out. If the settlement receives final approval, payments could be available soon after.