`
`UNITED STATES DISTRICT COURT
`EASTERN DISTRICT OF VIRGINIA
`
`
`IN RE: CAPITAL ONE CUSTOMER
`DATA SECURITY BREACH LITIGATION
`
`
`This Document Related to ONLY the following
`case:
`
`
`
`
`
`
`
`
`
`
`MDL No. 1:19-md-2915 (AJT/JFA)
`
`
`
`Case No. 1:19-cv-1472 (AJT)
`
`MARCUS MINSKY, Individually and On Behalf
`of All Others Similarly Situated,
`
`
`
`
`
`Plaintiff,
`
`
`
`vs.
`
`
`CAPITAL ONE FINANCIAL CORPORATION,
`RICHARD FAIRBANK, ROBERT
`ALEXANDER, and MICHAEL JOHNSON,
` Defendants.
`
`
`
`AMENDED CLASS ACTION COMPLAINT FOR VIOLATIONS OF THE FEDERAL
`SECURITIES LAWS
`
`
`
`
`
`
`
`
`
`Case 1:19-md-02915-AJT-JFA Document 279 Filed 01/17/20 Page 2 of 74 PageID# 1722
`
`TABLE OF CONTENTS
`
`I. NATURE OF THE ACTION .................................................................................................. 1
`
`II. JURISDICTION AND VENUE .............................................................................................. 6
`III. DEFENDANTS AND RELEVANT THIRD PARTIES ..................................................... 7
`
`IV. BECAUSE THEY FIXATED INVESTORS’ ATTENTION ON CAPITAL ONE’S
`DIGITAL TRANSFORMATIONS, DEFENDANTS’ STATEMENTS ABOUT
`CYBERSECURITY WERE CRITICAL TO INVESTORS........................................................... 9
`
`A. From Its Founding, Capital One Distinguishes Itself By Its “Information Based Strategy” 9
`
`B. Capital One Went “All In” On A “Revolutionary” “Amazing Opportunity”: A Digital
`Transformation .......................................................................................................................... 11
`
`The Digital Transformation Was An Opportunity For Capital One To Employ Its
`(a)
`Purported Technological Savvy To Outpace Its Competitors ............................................... 12
`(b) Defendants Tout the Promise of the Digital Transformation’s Incorporation of
`Machine Learning to Dramatically Intensify Capital One’s Information Based Strategy .... 17
`(c) Defendants Boast That Capital One’s Digital Transformation Was Providing
`Substantial Immediate Benefits ............................................................................................. 19
`
`(d) Defendants Told Investors That the Digital Technology Would Improve Customers’
`Perceptions of Capital One .................................................................................................... 22
`
`V. PRIVATE INFORMATION IS VALUABLE TO CRIMINALS ......................................... 25
`
`VI. CAPITAL ONE’S DIGITAL TRANSFORMATION NEGLECTS SECURITY ............. 27
`
`A. More Data Makes Better Machine Learning Algorithms .................................................. 28
`B. Capital One Created Too Many Data Lakes and its Data Lakes Were Overbroad............ 30
`
`C. Capital One Granted Access to the Data Lakes Far Too Easily ........................................ 32
`
`D. Capital One’s “Lackadaisical” Security and Multiple Security Breaches Created an
`Environment Where Employees Could Easily Miss Impermissible Transfers ......................... 36
`
`E. Capital One’s Encryption Did Literally Nothing to Stop Hackers from Obtaining
`“Encrypted” Data ...................................................................................................................... 36
`
`F. The Wall Street Journal Reports Internal Strife in Capital One’s Cybersecurity Division 38
`VII. LOSS CAUSATION .......................................................................................................... 40
`
`A. A Hacker Steals 106 Million Credit Card Applicants’ Unencrypted Data ........................ 40
`
`B. Capital One Does Not Learn of the Data Breach Until It Is Informed That the Hacker Had
`Publicly Bragged About It......................................................................................................... 42
`
`C. Capital One Only Escaped Catastrophic Harm Because It Was Incredibly Lucky ........... 42
`D. Capital One’s Announcement of the Data Breach Shocks the Market .............................. 43
`
`VIII. DEFENDANTS’ FALSE AND MISLEADING STATEMENTS .................................... 46
`
`
`
`i
`
`
`
`Case 1:19-md-02915-AJT-JFA Document 279 Filed 01/17/20 Page 3 of 74 PageID# 1723
`
`A. Capital One’s Legal Obligations and Industry Practices ................................................... 46
`
`B. Defendants Violated Regulatory Obligations To Disclose Information About the Risks
`Created By Capital One’s Cybersecurity Policies..................................................................... 50
`
`C. Defendants Falsely and Misleadingly Stated that Capital One’s Digital Transformation
`Was A Shared Path Which Led to Better Cybersecurity .......................................................... 53
`D. Defendants Claimed Cybersecurity Was One of Capital One’s Top Priorities ................. 55
`
`E. Defendants Claimed that the Customer Data It Placed On Its Server was Effectively
`Encrypted .................................................................................................................................. 60
`
`F. Defendants Claimed They Followed Reasonable Access Frequency and Retention Period
`
`61
`
`IX.
`
`PLAINTIFF’S CLASS ACTION ALLEGATIONS .......................................................... 62
`
`COUNT I ...................................................................................................................................... 65
`COUNT II ..................................................................................................................................... 68
`
`X. PRAYER FOR RELIEF ........................................................................................................ 69
`
`
`
`
`
`ii
`
`
`
`Case 1:19-md-02915-AJT-JFA Document 279 Filed 01/17/20 Page 4 of 74 PageID# 1724
`
`Lead Plaintiff Edward Shamoon, individually and on behalf of all other persons similarly
`
`situated, by his undersigned attorneys, for his complaint against Capital One Financial Corp.
`
`(“Capital One”) and the Individual Defendants (defined below), alleges the following based upon
`
`personal knowledge as to himself and his own acts, and information and belief as to all other
`
`matters. Plaintiff believes substantial evidentiary support will exist for the allegations set forth
`
`herein after a reasonable opportunity for discovery.
`
`I.
`
`NATURE OF THE ACTION
`
`1.
`
`This is a securities class action brought on behalf of all persons who purchased or
`
`acquired Capital One common stock between July 23, 2015, and July 29, 2019 (“Class Period”),
`
`did not sell such shares prior to July 29, 2019, and were damaged thereby. Excluded from the Class
`
`are Defendants, all present and former officers and directors of Capital One and any subsidiary
`
`thereof, members of such excluded persons’ families and their legal representatives, heirs,
`
`successors or assigns and any entity which such excluded persons controlled or in which they have
`
`or had a controlling interest.
`
`2.
`
`Capital One marketed itself to investors as having taken enormous efforts to be the
`
`technologically savviest bank, with the best infrastructure, the best software engineers – and the
`
`best cybersecurity practices. Capital One lied. In fact, to bolster its technological transformation,
`
`Capital One sacrificed cybersecurity. It created vast stores of data, called data lakes, containing
`
`decades of effectively unencrypted customer data, linked to customer financial information, to
`
`which it granted access with reckless disregard for the security of the information. It did not
`
`meaningfully encrypt the data contained in the data lakes. When the market learned that an
`
`individual hacker had stolen data from 106 million credit card applicants dating as far back as
`
`2005, the market was shocked, and Capital One’s stock price fell materially, damaging investors.
`
`
`
`1
`
`
`
`Case 1:19-md-02915-AJT-JFA Document 279 Filed 01/17/20 Page 5 of 74 PageID# 1725
`
`3.
`
`From its entry into the banking industry in the 1990s, Capital One claimed it would
`
`outcompete its more established peers by gathering better information and deriving better models
`
`to make better credit and marketing decisions.
`
`4.
`
`Defendants have heralded this century’s substantial increases in computing power
`
`and massive increases in the amount and usability of data. This unfolding digital revolution seemed
`
`tailor-made for Capital One’s claimed competitive advantage.
`
`5.
`
`In 2011, Capital One that it was beginning a digital transformation which would
`
`lead to enormous benefits. Defendants stated that the transformation was “revolutionary” and an
`
`“amazing opportunity.” The Company bragged that “it is just hard to exaggerate how much time
`
`and energy” Capital One and its senior executives spent pursuing it.
`
`6.
`
`In 2015 Capital One reinforced its commitment to the digital transformation when
`
`it announced that it would move all its data from its own private cloud to the public cloud.1
`
`7.
`
`During the Class Period, Defendants emphasized to investors again and again that
`
`Capital One’s digital transformation was its single greatest competitive advantage. Defendants
`
`claimed that the transformation was “revolutionary” – in fact, that it embodied “the biggest
`
`revolution in the history of mankind.” Defendants claimed that Capital One benefitted from the
`
`“revolution.” They claimed that Capital One would be better able to identify profitable customers,
`
`send them individualized real-time advertisements and reward offers customized to win their
`
`business, and make more informed credit decisions. Defendants claimed that these benefits also
`
`
`
` 1
`
` A private cloud consists of computing resources dedicated exclusively to the customer. Capital
`One had historically placed its data on company-owned servers. Public clouds are computing
`resources maintained by a third party, not dedicated to any particular customer, in which any given
`customer simply leases space. The most prominent public cloud, which Capital One and millions
`of other customers employed, is Amazon Web Services.
`
`
`
`2
`
`
`
`Case 1:19-md-02915-AJT-JFA Document 279 Filed 01/17/20 Page 6 of 74 PageID# 1726
`
`allowed them to reach multibillion-dollar partnerships with large retail chains who Defendants
`
`claimed wanted to benefit from Capital One’s digital resources and know-how. For five years, in
`
`numerous statements to investors, Defendants told investors that they should invest in Capital One
`
`because it was the most technologically savvy of all banks.
`
`8.
`
`Keeping and storing vast amounts of data raises cybersecurity concerns.
`
`Defendants, however, claimed that better cybersecurity was integral to Capital One’s digital
`
`transformation. According to Defendants, the digital transformation was a “shared path” that
`
`would improve Capital One’s capabilities, including cybersecurity. Defendants claimed
`
`cybersecurity was “incredibly important,” “critical,” and Capital One’s “most important” priority.
`
`They claimed that Capital One encrypted all data it stored in the cloud and that it adhered to
`
`principles requiring it to respect customers’ reasonable views of how long it would hold onto their
`
`data. They emphasized that Capital One’s reputation for strict cybersecurity would prove a
`
`competitive advantage as against purely tech companies. Thus, Capital One would harness its
`
`technological savvy to protect its customers’ data.
`
`9.
`
`According to Defendants, one of Capital One’s main weapons in its cybersecurity
`
`arsenal was Cloud Custodian, a program Capital One developed in house that Defendants claimed
`
`automatically encrypted all the data Capital One made accessible to employees. Thus, even if a
`
`hacker penetrated Capital One’s firewall, the hacker would still not obtain meaningful data.
`
`10.
`
`Moreover, Defendants claimed Capital One complied with principles requiring
`
`them to delete customer data after a reasonable time. Even if a hacker breached Capital One’s
`
`firewall and even if the hacker somehow decrypted the data, Capital One’s deletion practices
`
`would sharply limit the number of customers affected.
`
`
`
`3
`
`
`
`Case 1:19-md-02915-AJT-JFA Document 279 Filed 01/17/20 Page 7 of 74 PageID# 1727
`
`11.
`
`On July 29, 2019, Capital One announced that a hacker had stolen personal
`
`information drawn from 106 million credit card applications (“Data Breach”). The information
`
`included, for each applicant, self-reported income, complete demographic information, and last
`
`four numbers of social security numbers. The data the hacker obtained also set out information on
`
`the customers’ subsequent performance (e.g., credit lines, credit scores, payment history, and the
`
`like), which would identify for criminals exactly the most profitable identities to steal. The hack
`
`also exposed more than 100,000 full social security numbers, and about one million of the
`
`Canadian equivalent of social security numbers.
`
`12.
`
`The admissions in Capital One’s announcement, subsequent reporting, and reports
`
`from former employees show that Capital One had sacrificed cybersecurity to a dangerous extent,
`
`belying their repeated claims to the contrary. Given Capital One’s deficient cybersecurity
`
`measures, the Data Breach was inevitable.
`
`13.
`
`The foundation of Capital One’s digital transformation was machine learning, a
`
`process through which computer algorithms are given raw data and “learn” on their own to discern
`
`patterns and accomplish tasks. More data means better algorithms.
`
`14.
`
`To optimize machine learning, Capital One created massive data lakes (i.e.,
`
`repositories of customer data) containing data retained far in excess of customer expectations.
`
`Capital One announced that the hacker had stolen data from credit card applications submitted as
`
`early as 2005. Capital One had held on to this data for fourteen years. To ensure that the
`
`information the algorithms gleaned was as useful as possible, Capital One also included outcomes
`
`(the customer’s subsequent performance). Capital One made so much data accessible that any
`
`breach would be catastrophic.
`
`
`
`4
`
`
`
`Case 1:19-md-02915-AJT-JFA Document 279 Filed 01/17/20 Page 8 of 74 PageID# 1728
`
`15.
`
`Capital One former employees spoke to the chaos Capital One’s access “controls”
`
`created. A former employee who headed the unit that developed Capital One’s digital
`
`cybersecurity infrastructure reports that each Capital One line of business created its own data
`
`lakes of customer data. The former cybersecurity infrastructure employee reports that each division
`
`could determine who had access to its own data lakes and the terms of that access – leaving Capital
`
`One only as secure as its least secure division. A former employee in Capital One’s cybersecurity
`
`division reports that Capital One kept over 500 million usernames and passwords on its server on
`
`an unencrypted plaintext spreadsheet, searchable and accessible to anyone. Indeed, between 2017
`
`and 2019, Capital One reported at least four incidents in which insiders exploited overbroad access
`
`and weak monitoring to access multiple Capital One customers’ data – far more than any other
`
`bank.
`
`16.
`
`Finally, contrary to Defendants’ express statements, Capital One’s data was not
`
`meaningfully encrypted. Rather than limiting decryption to relevant persons, Capital One
`
`automatically decrypted data for any person with Capital One credentials. As an expert explained,
`
`Capital One’s encryption was “academic at best.”
`
`17.
`
`Capital One’s loose and chaotic access policies, huge numbers of vast data lakes,
`
`and automatic decryption made a hack like the Data Breach inevitable. With too many authorized
`
`requests by Capital One employees and algorithms to access data to monitor, an illegitimate
`
`request would be difficult to catch. Indeed, the hacker involved in the Data Breach accessed Capital
`
`One’s data three times in March and April 2019 and used Capital One’s computer resources to
`
`mine bitcoin, without ever being detected.
`
`18.
`
`The final weakness in Capital One’s cybersecurity defenses was Defendants
`
`themselves. In 2017, Capital One hired Michael Johnson to be its Chief Information Security
`
`
`
`5
`
`
`
`Case 1:19-md-02915-AJT-JFA Document 279 Filed 01/17/20 Page 9 of 74 PageID# 1729
`
`Officer (“CISO”), the head of the cybersecurity division. Defendants considered turnover in that
`
`division material and closely monitored it, including in reports to Capital One’s board of directors.
`
`Johnson immediately alienated the cybersecurity division’s employees. The division’s turnover in
`
`2018 was about one third. Under Johnson, Capital One’s cybersecurity division even omitted to
`
`take elementary precautions like installing security software Capital One had purchased.
`
`19.
`
`The July 29, 2019 announcement of the Data Breach thus was the inevitable result
`
`of Capital One’s abandoning cybersecurity practices to carry further itsd business plan.
`
`20.
`
`Defendants’ boasts that Capital One would use its vast technological savvy to
`
`protect and encrypt customer data deceived investors. On July 30, 2019, the day after Capital One
`
`disclosed the data breach, its stock price fell 6% on exceptionally high volume of trades to close
`
`at $91.21, damaging investors.
`
`II.
`
`JURISDICTION AND VENUE
`
`21.
`
`The claims asserted herein arise under Sections 10(b) and 20(a) of the Exchange
`
`Act (15 U.S.C. §§78j(b) and 78t(a)) and Rule 10b-5 promulgated thereunder by the SEC (17 C.F.R.
`
`§ 240.10b-5).
`
`22.
`
`This Court has jurisdiction over the subject matter of this action pursuant to 28
`
`U.S.C. §1331 and Section 27 of the Exchange Act (15 U.S.C. §78aa).
`
`23.
`
` Venue is proper in this Judicial District pursuant to 28 U.S.C. §1391(b) and Section
`
`27 of the Exchange Act (15 U.S.C. §78aa(c)). The Company’s headquarters are located in this
`
`district.
`
`24.
`
`In connection with the acts, transactions, and conduct alleged herein, Defendants
`
`directly and indirectly used the means and instrumentalities of interstate commerce, including the
`
`United States mail, interstate telephone communications, and the facilities of a national securities
`
`exchange.
`
`
`
`6
`
`
`
`Case 1:19-md-02915-AJT-JFA Document 279 Filed 01/17/20 Page 10 of 74 PageID# 1730
`
`III.
`
`DEFENDANTS AND RELEVANT THIRD PARTIES
`
`25.
`
`Court-appointed Lead Plaintiff Edward Shamoon, as set forth in his Certification,
`
`which was previously filed on the Court’s docket and is incorporated by reference, purchased
`
`Capital One common stock during the Class Period at artificially inflated prices during the Class
`
`Period and was damaged thereby.
`
`26.
`
`Defendant Capital One is a bank holding company. Capital One differentiates itself
`
`from competitors by boasting of its focus on technology. Defendant Fairbank summarizes Capital
`
`One’s purported competitive advantage by claiming that among banks it alone is “an information-
`
`based technology company that does banking competing against banks who use information and
`
`technology.” Capital One’s shares trade on the New York Stock Exchange under ticker COF.
`
`Capital One has three main lines of business: credit cards, auto loans, and commercial loans.
`
`During the Class Period, credit cards accounted for a large majority of Capital One’s revenues.
`
`Included in this category were substantial revenues from issuing store-branded credit cards to retail
`
`chain partners like Walmart.
`
`27.
`
`Defendant Richard Fairbank founded Capital One and has served as its CEO at all
`
`times.
`
`28.
`
`Defendant Robert Alexander joined Capital One in 1998 and has served as its Chief
`
`Information Officer (“CIO”) since May 2007. According to Capital One’s proxy statements,
`
`Alexander oversees all of Capital One’s technology activities, which included 9,000 employees,
`
`more than 8,000 of whom were software engineers.
`
`29.
`
`Defendant Michael Johnson served as Capital One’s Chief Information Security
`
`Officer (“CISO”) from March 2017 until he was terminated in October 2017 because of the Data
`
`Breach. Johnson met with Capital One’s Risk Committee, a committee of its board, at least twice
`
`
`
`7
`
`
`
`Case 1:19-md-02915-AJT-JFA Document 279 Filed 01/17/20 Page 11 of 74 PageID# 1731
`
`a year. Johnson headed Capital One’s Information Security & Risk Management Division which
`
`during Johnson’s tenure was renamed the Cybersecurity Division.2
`
`30.
`
`31.
`
`Fairbank, Alexander, and Johnson are the “Individual Defendants.”
`
`Former Employee 1 (“FE 1”) worked for Capital One between December 2015 and
`
`November 2018. During the first year of his tenure, FE 1 was an Information Risk Manager in the
`
`Cybersecurity Division reporting directly to the CISO. Thereafter, FE 1 headed the Capital One
`
`division responsible for developing and implementing Capital One’s cloud security policies and
`
`governance.
`
`32.
`
`Former Employee 2 (“FE 2”) worked for Capital One between October 2016 and
`
`July 2017 as a Senior Manager in Capital One’s Cybersecurity Division. FE 2 reported to a
`
`Director in the Cybersecurity Division who in turn reported to Richard Isenberg, VP of the
`
`Cybersecurity Division, who reported to the CISO. FE 2 has senior government experience,
`
`including briefing the head of a law enforcement agency.
`
`33.
`
`Former Employee 3 (“FE 3”) worked for Capital One as a Cyber Security Incident
`
`Manager between 2016 through 2018. FE 3 headed a cyber incident team whose functions included
`
`observing operations, compiling indicators of compromise, and sending suspicious activity
`
`reports. FE 3 reported to a Director in the Cybersecurity Division, who in turn reported to a Senior
`
`Director, who reported to Defendant Johnson.
`
`
`
` 2
`
` “Cybersecurity Division” as used herein refers to the division both before and after the name
`change.
`
`
`
`8
`
`
`
`Case 1:19-md-02915-AJT-JFA Document 279 Filed 01/17/20 Page 12 of 74 PageID# 1732
`
`IV.
`
`BECAUSE THEY FIXATED INVESTORS’ ATTENTION ON CAPITAL ONE’S
`DIGITAL TRANSFORMATIONS, DEFENDANTS’ STATEMENTS ABOUT
`CYBERSECURITY WERE CRITICAL TO INVESTORS
`
`A.
`
`From Its Founding, Capital One Distinguishes Itself By Its “Information Based
`Strategy”
`
`34.
`
`Capital One, founded as another bank’s credit card division, was spun off in 1994.
`
`Capital One has always told investors that it would thrive by using more data more intelligently
`
`than its competitors.
`
`35.
`
`After the spin-off, the only financial product Capital One offered was credit cards.
`
`Its narrow offering differentiated it from other credit cards companies, which tended to be large
`
`banks offering many different products. Capital One’s narrow offering made it a much riskier bet
`
`than its competitors, as its diversified competitors could weather a downturn in the credit card
`
`market that might be enough to put Capital One out of business. Capital One focused its business
`
`on riskier subprime customers.
`
`36.
`
`To lower its risk, Capital One followed a strategy it had adopted in 1988 which it
`
`called its Information Based Strategy.
`
`37.
`
`Capital One’s 1996 10-K, its very first, explained:
`
`The Company’s IBS [i.e., Information Based Strategy] is designed to allow
`the Company to differentiate among customers based on credit risk, usage
`and other characteristics and to match customer characteristics with
`appropriate product offerings. IBS involves developing sophisticated
`models, information systems, well-trained personnel and a flexible culture
`to create credit card or other products and services that address the demands
`of changing consumer and competitive markets. By using sophisticated
`statistical modeling techniques, the Company is able to segment its potential
`customer lists based upon the integrated use of credit scores, demographics,
`customer behavioral characteristics and other criteria. By actively testing a
`wide variety of product and service features, marketing channels and other
`aspects of its offerings, the Company can design and target customized
`solicitations at various customer segments, thereby enhancing customer
`response levels and maximizing returns on investment within given
`underwriting parameters. Continued
`integrated
`testing and model
`development builds on information gained from earlier phases and is
`
`
`
`9
`
`
`
`Case 1:19-md-02915-AJT-JFA Document 279 Filed 01/17/20 Page 13 of 74 PageID# 1733
`
`intended to improve the quality, performance and profitability of the
`Company’s solicitation and account management initiatives. The Company
`applies IBS to all areas of its business, including solicitations, account
`management, credit line management, pricing strategies, usage stimulation,
`collections, recoveries and account and balance retention.
`
`
`
`38.
`
`Thus, Capital One maintained since its inception that its Information Based
`
`Strategy would allow it to better identify better customers, better market to them, and offer them
`
`rewards better targeted to their wants and needs. By having better information and models than its
`
`competitors, Capital One bet that it could also extend credit more intelligently than its competitors,
`
`and therefore more profitably, than its competitors.
`
`39.
`
`After the spinoff, Capital One began to offer what it called Second Generation
`
`Products in markets where it believed it could use its Information Based Strategy to outcompete
`
`other banks. These products also targeted moderate income customers or those with poor credit
`
`ratings. Capital One maintained that it could turn a profit by using its Information Based Strategy
`
`to better evaluate, price, and monitor credit risks.
`
`40.
`
`As information technology improved throughout the 1990’s and 2000’s, Capital
`
`One’s Information Based Strategy became digital. For example, Capital One’s 2000’s 10-Ks stated
`
`that it “leverage[s] information technology to achieve our business objectives and to develop and
`
`deliver products and services that satisfy our customers’ needs [a key aspect of which is] the
`
`development of efficient, flexible computer and operational systems to support complex marketing
`
`and account management strategies and the development of new and diversified products.”
`
`41.
`
`According to Defendants, Capital One’s competitive advantage in information and
`
`analysis becomes more material with each passing year. On a call to announce Capital One’s Q4
`
`2014 earnings, on January 22, 2015, Defendant Fairbank explained that the technological
`
`transformation was critical because it would affect “even something that’s very, very core to how
`
`
`
`10
`
`
`
`Case 1:19-md-02915-AJT-JFA Document 279 Filed 01/17/20 Page 14 of 74 PageID# 1734
`
`Capital One works, which is information-based strategies itself.” Indeed, in that same call,
`
`Fairbank called Capital One a “fanatical information-based company; and across all the segments
`
`and sub-segments we’re in, we are reading the data that is coming back and readjusting constantly
`
`our choices and so on.”
`
`B.
`
`Capital One Went “All In” On A “Revolutionary” “Amazing Opportunity”: A Digital
`Transformation
`
`42.
`
`In 2011, Capital One promoted the start of a complete overhaul of its operations,
`
`which it called a digital transformation. Deriding banks that merely added apps or online banking
`
`to their traditional structures Capital One claimed the main promise of the digital transformation
`
`was the ability to use new machine learning technology to boost Capital One’s Information Based
`
`Strategy. Capital One could create a better experience for customers through (among other things)
`
`better credit decisions, better marketing, and better fraud detection systems. To do so, Capital One
`
`would have to modernize its entire infrastructure.
`
`43.
`
`In 2015, as part of its digital transformation, Capital One announced that it would
`
`move substantially all of its computing operations and data to the cloud. In 2016, Capital One
`
`announced that it would make Amazon Web Services (“AWS”) its predominant cloud provider.
`
`44.
`
`As SVP Global Finance Norris explained at the J.P. Morgan FinTech & Specialty
`
`Finance Forum on November 30, 2016:
`
`AWS [Amazon Web Services] announced yesterday after the close an agreement with
`Capital One where we’re making AWS our predominant cloud partner, and we’re really
`migrating a lot of things to the cloud: big data infrastructure and capabilities, cloud
`computing, the kind of modern infrastructure that’s needed to support a truly digital
`enterprise.
`
`45.
`
`Defendants represented, over and over and over again, that its digital transformation
`
`was Capital One’s single greatest competitive advantage. Capital One boasted that it had the most
`
`and the best software engineers and other technology professionals. Capital One executives
`
`
`
`11
`
`
`
`Case 1:19-md-02915-AJT-JFA Document 279 Filed 01/17/20 Page 15 of 74 PageID# 1735
`
`acknowledged that they understood investors were hanging on every word they spoke of their
`
`digital transformation.
`
`46.
`
`Defendants maintained that Capital One’s digital transformation was already
`
`creating substantial benefits, including multibillion-dollar partnerships with large retail chains
`
`excited about Capital One’s technology.
`
`(a)
`
`The Digital Transformation Was An Opportunity For Capital One To Employ Its
`Purported Technological Savvy To Outpace Its Competitors
`
`47.
`
`In a maxim Defendant Fairbanks frequently repeated, including at the June 1, 2017
`
`Sanford C. Bernstein & Co. Strategic Decision Conference, Capital One was “an information-
`
`based technology company that does banking competing against banks who use information and
`
`technology.”
`
`48.
`
`Armed with this advantage, Capital One would leave behind its competitors, who
`
`Capital One claimed merely bolted technology onto traditional banks.
`
`49.
`
`Before and during the Class Period, Defendants characterized Capital One’s digital
`
`transformation as the single most important fact about it. In a November 30, 2016 presentation
`
`before the J.P. Morgan FinTech & Specialty Finance Forum, Capital One SVP of Global Finance
`
`Jeff Norris boasted that “I’ve been with Capital One for almost 20 years, and this is a rare kind of
`
`time in my experience at Capital One in that this investment in digital and digital transformation
`
`in banking is one of the few things I think we’ve ever seen that’s just sort of, over time, good on
`
`every dimension.” Norris added that the digital transformation is “an integral part of our card
`
`growth, and over time I think it just becomes more and more the company we are [] and we believe
`
`is one of the cornerstones of our strategy.”
`
`50.
`
`Defendant Fairbank was even more enthusiastic.
`
`
`
`12
`
`
`
`Case 1:19-md-02915-AJT-JFA Document 279 Filed 01/17/20 Page 16 of 74 PageID# 1736
`
`51.
`
`On a call to announce Capital One’s Q4 2014 earnings, taking place on January 22,
`
`2015, Defendant Fairbank said that:
`
`And finally, the investment in digital. And while digital is a big opportunity across
`consumer and commercial, certainly, on a relative basis, I think the revolution is going to
`be greater on the consumer side and it’s literally going to transform all aspects of how
`banking is done. It’s going to transform not only – people often think through the lens of
`the customer experience, but really the whole way, the way retail distribution works, the
`way operations, marketing, servicing and even something that’s very, very core to how
`Capital One works, which is information-based strategies itself. So this is a big deal on the
`commercial side. It’s pretty much a revolutionary deal on the consumer side.
`
`52.
`
`Fairbank added that “I haven’t seen anything remotely like this in terms of the
`
`ability to transform how a business works.”
`
`53.
`
`At the February 10, 2016 Credit Suisse Financial Services Forum, Fairbank
`
`reiterated that “[t]his is the most significant thing I’ve seen in the 25 years of building this
`
`Company in terms of opportunity but also in terms of like risk if you don’t really go for it.”
`
`54.
`
`At the June 2, 2016 Sanford C. Bernstein & Co. investor conference, Fairbank
`
`claimed that:
`
`The most important place, the most important things that are going on are not the things
`that you can readily see. It’s about foundational technology that is the shared path to
`really being a digital company. It’s about the information-based strategy that we use in
`credit decision-making, in marketing, t