Photo credit: www.csoonline.com
A recent court filing revealed that a software engineer at Amazon Web Services (AWS) was responsible for a significant data breach that compromised sensitive information, including bank account details. The document, submitted to the U.S. District Court for the Eastern District of Virginia, states that while both Capital One and AWS deny any liability for the incident, they have reached a preliminary agreement to settle a class-action lawsuit brought by the plaintiffs. This settlement, pending court approval, aims to fully address all claims emerged from the case. Capital One has maintained that the relevant facts surrounding the breach have remained unchanged since they reported the incident in collaboration with federal authorities over two years ago. They emphasized that the hacker was apprehended, and the stolen data was recovered before it could be misused. The company expressed satisfaction in reaching an agreement to resolve the ongoing consumer class litigation.
15. Uber: $148 million
In 2016, the ride-hailing service Uber suffered a breach affecting 600,000 drivers and 57 million users. Rather than promptly notifying authorities and affected individuals, Uber opted to pay the hacker $100,000 to keep the incident secret. This decision proved costly, as the company faced a monumental fine of $148 million in 2018—the largest penalty for a data breach at that time—due to its failure to abide by state data breach notification laws.
16. Morgan Stanley: $120 million (total)
In January 2022, Morgan Stanley, a major player in investment banking and financial services, agreed to a $60 million settlement in relation to data security failures. This settlement is linked to a class-action lawsuit filed against the bank in July 2020 after two separate breaches exposed the personal data of around 15 million clients. Plaintiffs claimed that Morgan Stanley neglected to adequately protect personally identifiable information (PII) of both current and former clients. The breaches were reportedly tied to poorly handled decommissioning of data center equipment in 2016 and 2019, leading to sensitive data remaining accessible to whoever acquired the discarded equipment.
This settlement proposal surfaces over a year after the Office of the Comptroller of the Currency (OCC) imposed a $60 million civil penalty on Morgan Stanley for similar failures. The OCC’s findings indicated that the bank did not exercise sufficient oversight during the decommissioning of hardware that housed client data. Morgan Stanley was criticized for failing to thoroughly assess the risks associated with subcontracting this work and for not maintaining a proper inventory of the data stored on the decommissioned devices. In light of these incidents, the bank faced further scrutiny regarding its vendor management controls during 2019, highlighting persistent deficiencies in handling sensitive customer information.
Source
www.csoonline.com