On July 19, 2019, Capital One announced that it had been the victim of a criminal cyberattack. According to the Department of Justice, Paige Thompson, a former software engineer at a Seattle technology company, gained unauthorized access to the personal information of nearly 100 million Capital One credit card customers and applicants in the United States.
Following the cyberattack, Thompson posted about the data breach on the information sharing site GitHub, according to a criminal complaint. The DOJ says a GitHub user who saw the post alerted Capital One on July 17, 2019.
Numerous lawsuits were brought against Capital One on behalf of the customers whose personal information was accessed as a result of the cyberattack. On Feb. 7, 2022, a U.S. federal court preliminarily approved a class action settlement related to the data breach. VERIFY viewer Tamara recently received an email about the settlement and asked our team to confirm whether it is real or not.
THE QUESTION
Is the Capital One data breach settlement real?
THE SOURCES
THE ANSWER
Yes, the Capital One data breach settlement is real.
WHAT WE FOUND
Tamara forwarded VERIFY the email she received from a website pointing to capitalonesettlement.com. The settlement website is legitimate, according to Capital One.
On a webpage that provides information about the July 2019 cyberattack, Capital One instructs customers affected by the breach to visit capitalonesettlement.com for additional details about the settlement.
According to the settlement administrator, Capital One is required to establish a settlement fund of $190 million. The settlement fund will be used to:
- Make cash payments for out-of-pocket losses and lost time;
- Purchase identity defense services;
- Purchase restoration services for all settlement class members, regardless of whether they make a claim;
- Pay the costs of notifying settlement class members and administering the settlement;
- Pay service awards to settlement class representatives and any other settlement class member who was deposed in the action, as approved by the court;
- Pay attorneys’ fees, costs, and expenses, as approved by the court.
If you spent money to deal with fraud or identity theft or to protect yourself from future harm as a result of the data breach, then you can submit a claim for reimbursement of up to $25,000 for the loss of out-of-pocket expenses. This includes costs incurred while preventing identity theft or fraud, professional fees, up to 15 hours of lost time at a rate of at least $25 per hour, and other miscellaneous expenses, according to the settlement administrator.
To claim reimbursement for out-of-pocket losses, the settlement administrator says you must provide “reasonable documentation,” which includes credit card statements, bank statements, invoices, telephone records, and receipts. While personal certifications, declarations, or affidavits do not constitute as reasonable documentation, they may also be included to provide clarification, context, or support. The settlement administrator will decide if your claim is valid, and says only valid claims will be paid.
If you received a notice about the settlement, you are likely a member of the settlement class — meaning you are among the approximately 98 million U.S. residents identified by Capital One whose information was accessed in the data breach, according to the settlement administrator. The notice contains a unique ID and a PIN, which are both required to file a claim form. Tamara received a unique ID and PIN in the email she received.
To confirm you are a settlement class member, and eligible for benefits, you can call 1-855-604-1811 or contact the settlement administrator at info@CapitalOneSettlement.com.
Claims must be filed online or by mail no later than August 22. A final settlement approval hearing will be held on August 19. For more information about the settlement, visit capitalonesettlement.com.
After the data breach, Capital One said it immediately fixed the issue and began working with federal law enforcement. Thompson, the person who took the data, was captured by the FBI and is facing federal charges for wire fraud and computer data theft related to the data breach. The government has stated they believe the data has been recovered and that there is no evidence the data was used for fraud or shared by Thompson, according to Capital One. In 2020, the U.S. Treasury Department fined Capital One $80 million for careless network security practices related to the data breach.
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," Richard D. Fairbank, Capital One’s CEO, said. "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”