Plaintiff Sues Banks, AWS, Saying Hackers Accessed His Credit Accounts
San Francisco resident Venton Smith, who claims his personally identifiable information (PII) was exposed in a 2019 Capital One data breach in which an Amazon Web Services employee stole data affecting about 106 million customers, is suing over 20 merchants,…
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
banks and credit reporting agencies, said his pro se lawsuit (docket 3:23-cv-02804) filed June 7 in U.S. District Court for Northern California in San Francisco. Though Capital One claimed it “immediately addressed the configuration vulnerability” through which convicted AWS employee Paige Thompson was able to gain unauthorized access to Capital One’s AWS cloud server by exploiting a web application firewall, the bank didn't notify Smith that his PII was exposed to hackers, he said. Capital One notified customers four months after the breach, though its internal logs showed hacker connections to the server March and April 2019. Three years after the data breach, Capital One has begun “selectively notifying some customers” that their Social Security numbers were exposed in the breach, said the complaint. Smith applied for a Discover credit card account in November and was denied, it said. He obtained a copy of his credit report and discovered “late and delinquent” accounts reported under his name that did not belong to him from Comenity, Jared, Valero, Lending Club, SunTrust, Synchrony, TD Bank and Truist that had been opened between November 2019 and December 2020. At least 12 existing accounts were fraudulently accessed to buy unknown merchandise using existing accounts for American Express, Best Buy, Capital One, Chase, Citibank, Macy’s and Nordstrom for a total $92,300 in loans, merchandise and products, he said. Despite receipt of identity theft and fraudulent activity police reports, credit reporting agencies and furnisher defendants continued adversely reporting identity theft and fraud on Smith’s credit profile. Furnisher defendants “failed to conduct a reasonable reinvestigation” into disputed information to consumer reporting agencies they “knew or should have known was inaccurate,” said the complaint. Among Smith’s claims are negligence, unjust enrichment, breach of confidence and contract and violation of California’s Unfair Competition Law.