A software engineer at AWS was behind the attack, which exposed information including bank account details. “While Capital One and AWS deny all liability, in the interest of avoiding the time, expense and uncertainty of continued litigation, plaintiffs and Capital One have executed a term sheet containing the essential terms of a class settlement that, if approved by this court, will fully resolve all claims brought by plaintiffs,” a filing with the U.S. District Court for the Eastern District of Virginia read. In an emailed statement, Capital One said that key facts in the case had not changed since it announced the event in coordination with federal authorities more than two years ago, with the hacker arrested and the stolen data recovered before it could be disseminated or used for fraudulent purposes. “We are pleased to have reached an agreement that will resolve the consumer class litigation in the U.S.,” the company added.
15. Uber: $148 million
In 2016 ride-hailing app Uber had 600,000 driver and 57 million user accounts breached. Instead of reporting the incident, the company paid the perpetrator $100,000 to keep the hack under wraps. Those actions, however, cost the company dearly. The company was fined $148 million in 2018 — the biggest data breach fine in history at the time — for violation of state data breach notification laws.
16. Morgan Stanley: $120 million (total)
In January 2022, investment bank and financial services giant Morgan Stanley agreed to pay $60 million to settle a legal claim relating to its data security. The agreement, if approved by a federal judge in Manhattan, will resolve a class-action lawsuit was that filed against the company in July 2020 regarding two security breaches that compromised the personal data of approximately 15 million customers. According to claimants, Morgan Stanley failed to protect the personally identifiable information (PII) of current and former clients. It is alleged data center equipment decommissioned by the firm in 2016 and 2019 was not efficiently wiped clean and a software flaw meant that unencrypted, sensitive data was visible to whoever purchased the equipment.
The proposed claim settlement comes more than a year after Morgan Stanley was handed a separate $60 million civil penalty by the Office of the Comptroller of the Currency (OCC) in relation to the same incidents. The OCC stated that Morgan Stanley failed “to exercise proper oversight of the 2016 decommissioning of two Wealth Management business data centers located in the U.S. Among other things, the banks failed to effectively assess or address risks associated with decommissioning its hardware; failed to adequately assess the risk of subcontracting the decommissioning work, including exercising adequate due diligence in selecting a vendor and monitoring its performance; and failed to maintain appropriate inventory of customer data stored on the decommissioned hardware devices.” In 2019, the banks experienced similar vendor management control deficiencies in connection with decommissioning other network devices that also stored customer data, the OCC added.
_Igor_Stevanovic_Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop&w=332&resize=332,0&ssl=1 "Best Practices in LCNC & RPA Automation")
_Igor_Stevanovic_Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop&w=688&resize=688,387&ssl=1 "Best Practices in LCNC & RPA Automation")
