`
`UNITED STATES DISTRICT COURT
`FOR THE EASTERN DISTRICT OF VIRGINIA
`(Alexandria Division)
`
`
`
`
`Civil Action No. ______________
`
`ANDREW BRODERICK, JACQUELINE
`BURKE, SUSAN CORLEY, LYNN
`FIELDS, KIMBERLY HERNANDEZ,
`KRISTINA MENTONE, MARK MILLER,
`MORDECHAI NEMES, RYAN OLSEN,
`DEBRA POTZGO, SHAWN SPEARS,
`JANETT STOUT, COLE STUDEBAKER,
`and JONATHAN WONG, each individually
`and on behalf of all others similarly situated,
`
`Plaintiffs.
`
`v.
`
`CAPITAL ONE FINANCIAL
`CORPORATION, CAPITAL ONE BANK
`(USA) N.A., AMAZON.COM, INC., and
`AMAZON WEB SERVICES, INC.
`
`Defendants.
`
`
`Brian J. Dunne (CA 275689)
`bdunne@piercebainbridge.com
`PIERCE BAINBRIDGE BECK PRICE & HECHT LLP
`355 S. Grand Avenue, 44th Floor
`Los Angeles, CA 90071
`Tel: (213) 262-9333
`
`Andrew M. Williamson (VA 83366)
`awilliamson@piercebainbridgecom
`Andrew J. Pecoraro (VA 92455)
`apecoraro@piercebainbridge.com
`PIERCE BAINBRIDGE BECK PRICE & HECHT LLP
`601 Pennsylvania Avenue, NW
`South Tower, Suite 700
`Washington, D.C. 20004
`Tel: (202) 318-9001
`
`
`
`CLASS ACTION COMPLAINT
`AND DEMAND FOR JURY TRIAL
`
` Yavar Bathaee (NY 4703443)
`yavar@piercebainbridge.com
`Michael M. Pomerantz (NY 2920932)
`mpomerantz@piercebainbridge.com
`David L. Hecht (NY 4695961)
`dhecht@piercebainbridge.com
`Max P. Price (NY 4684858)
`mprice@piercebainbridge.com
`Michael K. Eggenberger (NY 5288592)
`meggenberger@piercebainbridge.com
`PIERCE BAINBRIDGE BECK PRICE & HECHT LLP
`277 Park Avenue, 45th Floor
`New York, New York 10172
`Tel: (212) 484-9866
`
`Attorneys for Plaintiffs
`
`
`
`Case 1:19-cv-01454-TSE-JFA Document 1 Filed 11/15/19 Page 2 of 122 PageID# 2
`
`TABLE OF CONTENTS
`
`PAGE
`INTRODUCTION ..........................................................................................................................1
`PARTIES ......................................................................................................................................10
`I.
`Defendants ........................................................................................................................10
`II.
`Plaintiffs ............................................................................................................................12
`JURISDICTION AND VENUE ...................................................................................................17
`FACTUAL ALLEGATIONS .......................................................................................................18
`I.
`Credit Cards and Sensitive Personal Information—The Quid Pro Quo ...........................18
`II.
`Capital One’s Express Promise to Safeguard Sensitive Customer Data ..........................26
`III.
`Cloud Computing ..............................................................................................................30
`A.
`Amazon and AWS ............................................................................................... 32
`1. Amazon Develops AWS ................................................................................ 32
`2. AWS and the Machine-Learning Edge .......................................................... 34
`3. The AWS Business Model and the Adoption Feedback Loop ...................... 36
`4. The Bug Is a Feature: The Dynamic Access, Data Pooling,
`and Server-Side Request Forgery Problems .................................................. 38
`Capital One Knew About the Risks of Pooling Sensitive Data
`in the AWS Cloud ................................................................................................ 50
`Capital One Moves to Amazon’s AWS ............................................................... 55
`1. Capital One and Amazon Partner to Move Capital
`One’s Data to the Cloud ................................................................................. 55
`2. Cloud Custodian: Amazon and Capital One’s Potemkin Village .................. 56
`3. Capital One Migrates to the AWS Cloud and Applies Machine-Learning to
`Customer Data under the Cover Provided by Cloud Custodian .................... 65
`The 2019 Data Theft .........................................................................................................68
`Hacker, Paige Thompson, Exploits Capital One’s Inherently
`A.
`Flawed Cloud-Based System ............................................................................... 68
`Capital One Discovers the Data Theft ................................................................. 70
`B.
`Capital One’s Response ....................................................................................... 71
`C.
`Amazon’s Response ............................................................................................. 74
`D.
`The Fallout ........................................................................................................................75
`The Breadth of Data Compromised In the Theft Makes Clear That Capital One
`A.
`Was Pooling Sensitive Customer Data and Defining Broad IAM Roles That
`Allowed for Dynamic Access .............................................................................. 75
`
`B.
`
`C.
`
`IV.
`
`V.
`
`
`
`
`
`i
`
`
`
`Case 1:19-cv-01454-TSE-JFA Document 1 Filed 11/15/19 Page 3 of 122 PageID# 3
`
`TABLE OF CONTENTS
`
`PAGE
`
`B.
`
`C.
`
`The Data Theft Makes Clear that Cloud Custodian Was a Façade
`Designed to Falsely Signal Security to Customers .............................................. 77
`Capital One’s Representation (and Promise) that It Used Encryption
`Was False and Misleading ................................................................................... 80
`The Flaws in Capital One’s Architecture Still Exist and Capital
`One Should Be Required to Move Sensitive Customer Data Off of the AWS
`Cloud .................................................................................................................... 81
`CLASS ACTION ALLEGATIONS .............................................................................................83
`CLAIMS FOR RELIEF ................................................................................................................94
`I.
`Nationwide Class Claims ..................................................................................................94
`II.
`State Subclass Claims ......................................................................................................106
`PRAYER FOR RELIEF ..............................................................................................................116
`JURY DEMAND .........................................................................................................................118
`
`D.
`
`
`
`ii
`
`
`
`Case 1:19-cv-01454-TSE-JFA Document 1 Filed 11/15/19 Page 4 of 122 PageID# 4
`
`Plaintiffs, based on personal knowledge, and upon information and belief as to all other
`matters, allege as follows:
`
`INTRODUCTION1
`
`1.
`
`In March 2019, Capital One was the subject of one of the largest data thefts in
`
`history. The attacker, a former employee of Amazon Web Services, was caught and indicted. As
`
`information came to light about the nature of the attack, a striking set of facts began to emerge—
`
`not about the attacker, but about Capital One and Amazon. They had together, over several years,
`
`orchestrated a massive migration of highly sensitive data to a public cloud under the cover of false
`
`statements and Potemkin security software that Capital One and Amazon jointly created and jointly
`
`marketed to customers, regulators, and to the public as a means of keeping the data safe. But it
`
`was all a lie—and unbelievably, the precise conditions created by Defendants that gave rise to
`
`the March data theft persist to this day.
`
`2.
`
`This case is about a fraud by Capital One and Amazon—not the data theft that
`
`revealed it. And at base, it is about millions of Capital One customers who entrusted their most
`
`sensitive data—data that can be used by a thief to assume those customers’ economic identity—to
`
`a bank and a cloud computing company based on a lie. Capital One and Amazon thoroughly
`
`monetized (and continue to monetize) sensitive Capital One customer data, mining it for every
`
`edge and insight about the behavior of Capital One’s customers. But in order to obtain that data
`
`and the lucrative interest and fees those customers generated, Capital One promised customers that
`
`their data was safe and protected. Both Capital One and Amazon assured people around the country
`
`that this was the case. Those assurances have now been shown to be indisputably, willfully false
`
`and misleading—and they continue to be false, as were the statements Defendants made together
`
`
`1 Terms not defined in this Introduction are defined in the body of the Complaint.
`
`
`
`
`
`
`
`Case 1:19-cv-01454-TSE-JFA Document 1 Filed 11/15/19 Page 5 of 122 PageID# 5
`
`over the years about the safety of Amazon’s AWS public cloud for storage and processing of
`
`sensitive financial data.
`
`3.
`
`As a result of these lies, Plaintiffs have paid billions of dollars in interest and fees
`
`to Capital One that they never would have paid had they known the truth: Their sensitive personal
`
`data was being pooled in a giant “data lake” on the world’s most notoriously insecure public cloud,
`
`trawled by machine learning tools while at risk of theft via a well-known, unfixed Server Side
`
`Request Forgery (“SSRF”) attack vector.
`
`4.
`
`Defendants continue to aggregate and mine that data under the same perilous
`
`conditions that existed eight months ago. Customer data—years of it—is even today being
`
`aggregated and shared across hundreds of data mining systems, a simple SSRF attack away from
`
`another massive theft. That unsafe aggregation of data is not a bug; it is a feature. It is how Capital
`
`One makes money, and it is how Amazon sells its cloud computing services. Without years’ worth
`
`of aggregated customer data, both companies would lose a competitive advantage.
`
`5.
`
`Defendants know that there is no fix. They know that there is no setting they can
`
`change, or automated software they can write, to eliminate the risks that they intentionally force
`
`on their customers.
`
`6.
`
`This fraud must stop. Plaintiffs seek damages and an injunction ordering the
`
`removal of sensitive Capital One customer data from Amazon’s public cloud servers.
`
`*
`
`*
`
`*
`
`7.
`
`By the end of 2014, Capital One had collected an unprecedented amount of data
`
`about its customers. That data could tell Capital One how risky its credit card users were to lend
`
`to, how often they spent, what they spent on, and even where they went and what they cared about.
`
`The problem, however, is that significant amounts of hardware and software infrastructure were
`
`
`
`2
`
`
`
`Case 1:19-cv-01454-TSE-JFA Document 1 Filed 11/15/19 Page 6 of 122 PageID# 6
`
`needed to mine that data. Capital One needed data centers, storage, and computation power—all
`
`with the airtight security befitting a major financial institution.
`
`8.
`
`This same opportunity was not lost on Capital One’s competitors. They mined
`
`information from their customers by creating their own massive data centers, which they would
`
`upgrade, maintain, and secure at their own significant expense. Capital One had done the same for
`
`years, and in fact, had established its own data centers in Virginia by 2014. The cost, however,
`
`was too high for Capital One. Scaling would require more investment, and if the scaling was
`
`wrong, there was no inexpensive way to scale down.
`
`9.
`
`Amazon’s AWS presented a potential solution. AWS would allow Capital One to
`
`buy only as much computing power and storage as it needed. More importantly, it allowed Capital
`
`One to leverage Amazon’s data scientists and machine learning tools, as well as arrays of the
`
`graphics processing units capable of the massive simultaneous calculations needed for machine
`
`learning.
`
`10.
`
`There were significant problems, however, with using AWS to mine customer data.
`
`Machine learning models required massive amounts of historical data to train. If the data was
`
`insufficient, the models would not be accurate. In other words, Capital One would need to place
`
`years (and potentially over a decade) of sensitive customer information on the AWS cloud. But
`
`the potential damage from a security breach compromising a large trove of historical data would
`
`be incalculable.
`
`11.
`
`Other large financial institutions knew this risk was too great. Both JP Morgan and
`
`Bank of America expressed and exercised extreme caution around customer data and refused to
`
`place their customers’ data in the hands of a cloud provider. Banking regulators also had not yet
`
`weighed in on best practices and standards for aggregating data on a public cloud.
`
`
`
`3
`
`
`
`Case 1:19-cv-01454-TSE-JFA Document 1 Filed 11/15/19 Page 7 of 122 PageID# 7
`
`12.
`
`Capital One needed cover for its migration. At about the same time, AWS was
`
`searching for a large financial institution to adopt its ecosystem. AWS’s business was being
`
`adopted by technology companies, startups, and other unregulated or less-regulated enterprises.
`
`The prize, however, was a large financial institution—one whose adoption of AWS would signal
`
`to other apprehensive financial institutions that it was okay to make the transition to the public
`
`cloud.
`
`13.
`
`In 2015, when no other bank would, Capital One took the plunge and announced
`
`that it would migrate its user data and applications to the AWS cloud. It would move entire swaths
`
`of customer data to AWS’s S3 servers to form a “data lake,” a single source of data that Capital
`
`One’s applications and machine learning models could all draw from. That data lake included over
`
`fifteen years of customer application data in order to better allow AI and machine learning
`
`algorithms to monetize that data for Capital One and Amazon.
`
`14.
`
`This unprecedent aggregation of sensitive consumer data would, however, have to
`
`be sold as safe to Capital One’s current and prospective customers. If those customers did not
`
`believe their information was safe, they would never agree to apply for, or use, a Capital One credit
`
`card. Capital One, with AWS’s assistance, set out to assuage those fears by making false and
`
`misleading representations and omissions to current and potential customers, even developing its
`
`own software to manage the permissions of its internal computers and customer-facing
`
`applications to access the shared data lake. In other words, Capital One and AWS represented that
`
`they were able to guard against the inherent risk of pooling massive amounts of sensitive customer
`
`data for mining on the public cloud.
`
`15.
`
`For years, however, AWS suffered from a widely known flaw. AWS servers, unlike
`
`those run by its competitors (e.g., Google), were not secured against an SSRF attack, which would
`
`
`
`4
`
`
`
`Case 1:19-cv-01454-TSE-JFA Document 1 Filed 11/15/19 Page 8 of 122 PageID# 8
`
`allow an attacker to get inside a firewall and make requests to the data lake, including requests to
`
`pipe the data outside of the firewall to a third-party server. Year after year this flaw was the subject
`
`of some of the largest cybersecurity conferences in the United States. Each year, presentations
`
`were made expressly calling out AWS’s particular SSRF vulnerability. Capital One ignored all of
`
`it.
`
`16.
`
`To provide additional cover for its migration to the public cloud, Capital One
`
`created software, called Cloud Custodian, which it jointly showcased and marketed with Amazon.
`
`It was described as a “rules engine” that allowed Capital One to set specific policies within AWS
`
`that would apply in real time to the various servers that accessed its data lake. The software would,
`
`among other things, purportedly automatically scan Capital One’s internal systems to ensure that
`
`all of the servers and permissions were set according to defined policies. Thus, when a computer
`
`wanted to access data from the data lake, it would assume a defined “role” that would then give it
`
`access to some portion or all of the data in the data lake.
`
`17.
`
`These Identity and Access Management (“IAM”) roles are used on AWS to allow
`
`various computers to access particular resources on a dynamic basis. A computer on Capital One’s
`
`system with an IAM role configured to allow broad access, as required to train and deploy machine
`
`learning algorithms, could potentially allow that computer to access the entire data lake. Cloud
`
`Custodian would purportedly ensure that IAM roles were given the proper permissions to minimize
`
`the risk of a data breach; in other words, Could Custodian would grant the minimum amount of
`
`access necessary to complete a given task. For example, a customer-facing application such as a
`
`credit card application program would need to access systems to input the customer’s data into the
`
`appropriate tables and then receive information about whether that applicant was approved and the
`
`
`
`5
`
`
`
`Case 1:19-cv-01454-TSE-JFA Document 1 Filed 11/15/19 Page 9 of 122 PageID# 9
`
`terms of the approval, but it would not need to access information about Capital One applicants
`
`from 2006.
`
`18.
`
`The reality was that Cloud Custodian was not a solution to the serious problems
`
`posed by the mass aggregation of sensitive data and the open and dynamic access of countless
`
`servers to that data. Cloud Custodian’s supposed benefit—ensuring the minimum amount of access
`
`necessary to complete a task—is at cross purposes with the goal of aggregating and mining broad
`
`swaths of customer data for profit. This is because in order to train and apply machine learning
`
`and AI systems, those systems need broad and dynamic access to user data, and that data must
`
`span years to ensure the accuracy and power of the AI and machine learning models.
`
`19.
`
`A version of Cloud Custodian designed to minimize risk, then, would not serve
`
`Capital One’s purpose for migrating to AWS’s servers in the first place, which was the
`
`monetization of its customers’ data. Accordingly, Cloud Custodian could not, and did not, solve
`
`the risk presented by the massive aggregation of data for exploitation on a public cloud server.
`
`20.
`
`All that stood between an attacker and Capital One’s data lake was a firewall, a
`
`system designed to block unauthorized access while permitting outward communication. The
`
`firewalls on Amazon’s AWS cloud that guarded web applications, however, were known to be,
`
`and continue to be, vulnerable to a an SSRF attack. Other cloud providers have implemented
`
`additional precautions to ensure that requests from outside the firewall cannot be used to command
`
`resources on the inside, but AWS did not implement such precautions and has not done so to this
`
`day.
`
`21.
`
`The net effect is that once an attacker obtains access to a server or system inside an
`
`AWS firewall, such as a firewall that protects a customer-facing web application, the attacker has
`
`access to all the data available to that server or system. If the attacker obtains access to a single
`
`
`
`6
`
`
`
`Case 1:19-cv-01454-TSE-JFA Document 1 Filed 11/15/19 Page 10 of 122 PageID# 10
`
`system that can assume a broad IAM role that permits it to access to the data lake, such as those
`
`that conduct machine learning tasks, all of that data can be transferred outside of the firewall at
`
`will.
`
`22.
`
`Of course, Cloud Custodian could do nothing to prevent any of this,
`
`notwithstanding Defenadnts’ statements otherwise. It did not matter to Defendants. AWS and
`
`Capital One jointly promoted Cloud Custodian as the solution to risk. This was a peculiar move
`
`for Amazon in particular because promotion of Cloud Custodian made no economic sense for
`
`Amazon.
`
`23.
`
`First, AWS already had a suite of tools that would purportedly ensure the proper
`
`configuration of IAM roles and monitor data access. In fact, AWS made money selling these tools
`
`to the users of its cloud. Nonetheless, AWS agreed to help Capital One promote Cloud Custodian,
`
`which competed with AWS’s own tools.
`
`24.
`
`Second, Cloud Custodian was both open source and cross-platform, meaning that
`
`it could be migrated to competing cloud services, such as Microsoft’s Azure or Google’s GCP.
`
`Accordingly, the relationship between Capital One and Amazon was far from an ordinary business
`
`relationship between a cloud provider and one of its customers. A customer that adopted Cloud
`
`Custodian could more easily move its operations to a competing provider than one that relied on
`
`Amazon’s own cloud management and security ecosystem. The only reason that AWS was willing
`
`to make that concession was to coax Capital One, a major financial institution, onto its platform,
`
`thus luring other financial institutions to join it.
`
`25.
`
`Amazon also promoted Capital One’s migration to AWS and the Cloud Custodian
`
`program. In late 2018, AWS hosted several web pages and videos touting its partnership with
`
`Capital One, the migration of Capital One’s data to its cloud, Capital One’s use of AWS to perform
`
`
`
`7
`
`
`
`Case 1:19-cv-01454-TSE-JFA Document 1 Filed 11/15/19 Page 11 of 122 PageID# 11
`
`machine learning on its user data at scale, and Cloud Custodian as a tool to keep the data safe.
`
`None of that promotion mentioned that Capital One and AWS had not dealt with the longstanding
`
`SSRF vulnerability peculiar to AWS.
`
`26.
`
`Put simply, the only reason for AWS’s decision to misleadingly promote a
`
`competing product was the immense value of attracting a large bank to its platform when other
`
`financial services companies refused to migrate their sensitive customer data to the public cloud.
`
`Capital One’s use of AWS would demonstrate the safety of the cloud to financial services
`
`companies that sought to mine sensitive customer data. In exchange for this, Capital One would
`
`receive cover for its risky migration to the cloud, the pooling of customer data into the data lake,
`
`and the vast data mining operations it could conduct on its customers’ personal information.
`
`Together, by developing and promoting Cloud Custodian, Capital One and AWS lulled regulators
`
`and customers into a false sense of security and created precedent for other large companies to
`
`adopt the AWS public cloud, thereby enhancing AWS’s cloud ecosystem.
`
`27.
`
`Capital One and Amazon knew about the inherent flaw in the architecture Capital
`
`One would have to deploy in order to exploit AWS’s machine learning and AI tools and hardware,
`
`including the SSRF vulnerability. Both companies nevertheless falsely touted Cloud Custodian as
`
`the solution. In 2016, Amazon and Capital One posted the open source software on Amazon’s
`
`AWS website, along with detailed documentation and marketing. But as both companies marketed
`
`Cloud Custodian as the solution to the risks of the data lake approach, they knew that Cloud
`
`Custodian was no solution at all.
`
`28.
`
`For example, in December 2018, Kapil Thangavelu, Capital One’s developer in
`
`charge of Cloud Custodian, gave a presentation at Amazon’s AWS re:Invent conference. His
`
`presentation, entitled “Cloud Custodian—Open Source Security & Governance,” touted Cloud
`
`
`
`8
`
`
`
`Case 1:19-cv-01454-TSE-JFA Document 1 Filed 11/15/19 Page 12 of 122 PageID# 12
`
`Custodian as a solution for the intractable task of maintaining appropriate permissions across
`
`several applications sharing aggregations of data. In an alarmingly prescient part of his speech, he
`
`discussed IAM roles and the precise vulnerability with poorly secured S3 servers that would later
`
`result in a breach of Capital One’s own systems. He then falsely touted Cloud Custodian as a cure
`
`for that vulnerability.
`
`29.
`
`Capital One and Amazon’s statements proved false in March 2019, when a former
`
`Amazon employee scanned servers belonging to dozens of companies that had hosted their web
`
`applications on AWS and found a vulnerable entrypoint in Capital One’s credit card application
`
`processing system. Using an SSRF attack, the attacker tricked one of Capital One’s servers into
`
`sending information from Capital One’s data lake to TOR nodes outside of Capital One’s firewall
`
`and then to a server she controlled (the “Data Theft”).
`
`30.
`
`The scope of the breach was staggering, with compromised data going back to
`
`2005. It was clear that Capital One had aggregated customer data on an unprecedented scale, and
`
`the compromise of one of the systems inside its firewall meant the complete compromise of over
`
`a decade of sensitive customer data.
`
`31.
`
`Not only did Cloud Custodian fail to stop the Data Theft, it failed to even detect
`
`that it had happened at all; it wasn’t until a July 2019 email from a third party that Capital One
`
`realized that it had suffered from the devastating attack. It was clear that Cloud Custodian was
`
`either a sham, designed to lull customers and regulators into a false sense of security, or it was
`
`never configured to limit access to years of historical data and found no anomalies to detect. Either
`
`way, all of Capital One and AWS’s statements about Cloud Custodian were revealed to have been
`
`false and misleading.
`
`
`
`9
`
`
`
`Case 1:19-cv-01454-TSE-JFA Document 1 Filed 11/15/19 Page 13 of 122 PageID# 13
`
`32.
`
`Because the attack threatened to expose a more existential problem with Capital
`
`One’s cloud operations, Defendants continued to lie about the root cause. Both Capital One and
`
`Amazon blamed a misconfigured firewall for the Data Theft, but that assertion is untrue. The
`
`problem is inherent in the architecture that Capital One chose and AWS enabled. Neither company
`
`addressed the fact that the architecture employed by Capital One on AWS was and is inherently at
`
`risk of a widespread data breach, including from an SSRF attack. Nor did either company address
`
`that, by design, Cloud Custodian, their touted solution to data vulnerability, was unable to detect
`
`or stop the attack.
`
`33.
`
`Instead, Capital One and Amazon appear content to do nothing. AWS has not fixed
`
`its systemic vulnerability to the particular form of attack used in the Data Theft. Capital One has
`
`not fixed its aggregation-based, data-lake architecture that allows a simple hack to have
`
`devastating consequences. Both companies continue to profit on risking customers’ valuable
`
`personal information.
`
`34.
`
`Capital One, with AWS’s knowing assistance, lied by stating that it would use
`
`industry-standard practices to protect its customers’ personal information. They lied about the
`
`capability of Cloud Custodian. They lied about the Data Theft. And they are continuing to lie about
`
`the security of the personal information in the data lake.
`
`35.
`
`If Plaintiffs knew the truth, they would not have paid interest and fees to Capital
`
`One, and they would not have applied for a Capital One credit card. More importantly, Defendants
`
`must be stopped from continuing their fraudulent scheme.
`
`PARTIES
`
`I. DEFENDANTS
`
`36.
`
`Defendant Capital One Financial Corporation (“Capital One”), is a Delaware
`
`corporation with its principal executive offices located at 1680 Capital One Drive, McLean,
`
`
`
`10
`
`
`
`Case 1:19-cv-01454-TSE-JFA Document 1 Filed 11/15/19 Page 14 of 122 PageID# 14
`
`Virginia. It is a financial services holding company that offers an array of financial products and
`
`services to consumers, small businesses, and commercial clients, including the credit card products
`
`at issue in this lawsuit. Capital One reported $28 billion in revenue in 2018 and profits of over
`
`$6 billion after accounting for reserves, expenses, and taxes. Alone, Capital One’s domestic credit
`
`card business generated $16 billion in revenue and $2.9 billion in profit.
`
`37.
`
`Defendant Capital One Bank (USA), National Association (“COBNA”) is a
`
`national bank headquartered at 4851 Cox Road, Glen Allen, Virginia. It offers credit and debit
`
`card products, including the credit card products at issue in this lawsuit, as well as other lending
`
`and deposit products. COBNA is one of Defendant Capital One’s principal wholly owned
`
`subsidiaries. As such, references to “Capital One” herein are, unless otherwise noted, intended to
`
`encompass COBNA.
`
`38.
`
`Defendant Amazon.com, Inc. (“Amazon.com”) is a corporation existing under the
`
`laws of the State of Delaware with its headquarters and principal place of business located at 410
`
`Terry Ave. North, Seattle, Washington.
`
`39.
`
`Defendant Amazon Web Services, Inc. (“AWS”) is a corporation existing under the
`
`laws of the State of Delaware with its headquarters and principal place of business located at 410
`
`Terry Ave. North, Seattle, Washington. AWS is a subsidiary of Amazon.com.
`
`40.
`
`Virginia is the largest market for data center space in the United States, and AWS
`
`maintains large data centers throughout the state. AWS operates its Virginia data centers directly
`
`or through a subsidiary called Vadata, Inc., which has operations in Ashburn, Haymarket,
`
`Manassas, Warrenton, Lorton, Culpeper, and Chantilly, VA. Either directly or through Vadata,
`
`Amazon leases 3.5 million square feet of space in Northern Virginia for its data centers.
`
`
`
`11
`
`
`
`Case 1:19-cv-01454-TSE-JFA Document 1 Filed 11/15/19 Page 15 of 122 PageID# 15
`
`41.
`
`Defendants AWS and Amazon.com are referred to collectively in this Complaint
`
`as “Amazon.”
`
`II. PLAINTIFFS
`
`42.
`
`Plaintiffs, in the course of applying for Capital One credit cards, entrusted their
`
`personal information to Defendants with the understanding, based on Defendants’ statements and
`
`representations, that Defendants would keep their information secure and employ reasonable and
`
`adequate security measures to ensure that it would not be compromised. Plaintiffs’ expectation
`
`that their data would be secured was both reasonable and based on explicit promises made to them
`
`by Capital One and Amazon.
`
`43.
`
`If Plaintiffs knew that Capital One and Amazon would not safeguard their
`
`information, they would not have applied for Capital One cards, and they certainly would not have
`
`paid the rate of interest and/or accepted the level of rewards associated with their cards. For most
`
`if not all Plaintiffs, the protection of their data was an indelible premise of applying for, and using,
`
`a particular credit card.
`
`44.
`
`Plaintiffs’ highly sensitive personal data remains in jeopardy to this day because
`
`Capital One continues to aggregate years of historical data on AWS’s inherently flawed systems
`
`using an inherently flawed cloud architecture. As currently stored and maintained, Capital One
`
`and Amazon continue to breach their promises to Plaintiffs, and their statements about the safety
`
`of Plaintiffs’ and other customers’ data remain false and misleading. Plaintiffs require injunctive
`
`relief to abate their continuing injuries.
`
`45.
`
`Plaintiff Andrew Broderick (“Broderick”), a resident of Texas, applied for three
`
`credit cards from Capital One, supplying personal information required by Capital One. Because
`
`Broderick lives in apprehension that his identity may be stolen as a result of Capital One and
`
`
`
`12
`
`
`
`Case 1:19-cv-01454-TSE-JFA Document 1 Filed 11/15/19 Page 16 of 122 PageID# 16
`
`Amazon’s aggregation and maintenance of his data, as well as the Data Theft, he has expended
`
`effort to secure his identity, including obtaining credit monitoring.
`
`46.
`
`Plaintiff Jacqueline Burke (“Burke”), a resident of South Carolina, applied for three
`
`credit cards from Capital One, supplying personal information required by Capital One.
`
`Capital One approved her applications, and Burke has maintained her accounts with Capital One
`
`to the present. Burke pays an annual fee on at least one of her Capital One cards, and she has paid
`
`interest on her balances to Capital One. Burke was informed by the IRS that she was the victim of
`
`a security breach and identity theft. Despite paying interest and other charges to Capital One for
`
`what she believed to be secure products, Burke lives in apprehension of identity theft as a result
`
`of Capital One and Amazon’s aggregation and maintenance of her data, as well as the Data Theft.
`
`Burke has expended effort to protect herself, including purchasing ten years of credit monitoring
`
`from Experian.
`
`47.
`
`Plaintiff Susan Corley (“Corley”), a resident of Florida, applied for two credit cards
`
`from Capital One, supplying personal information required by Capital One. After she applied for
`
`credit from Capital One, a