Data protection concept. GDPR. EU. Cyber security. Business man using mouse computer with padlock icon and internet technology network on blue background.

The Supreme Court of British Columbia has certified an $800-million class action against Capital One Financial Corp. on behalf of Canadian credit card customers who had their personal data compromised in a hack of the company’s databases.

According to the decision, the hack in early 2019 impacted six million Canadians and about 100 million Americans who had applied for Capital One cards or cards from retailers such as Costco Wholesale and the Hudson’s Bay Co. issued by the company.

The alleged hacker, Paige Thompson, was arrested by the FBI in July 2019 and is awaiting trial in the U.S. on criminal charges.

The data stolen from Canadians in the hack included information submitted on credit card applications, including about one million social insurance numbers, along with an array of personal and financial data.

The court noted that, so far, there’s no evidence that the stolen data was shared beyond the initial hack, and that “Capital One’s primary objection to certification is that the absence of such evidence means that the action cannot be certified.”

However, the court found that the proposed lawsuit does set out potentially viable causes of action for negligence, breach of contract and breach of consumer protection laws — although the claims approved by the court are narrower than the ones set out in the claim.

Other proposed causes of action were dismissed by the court as “bound to fail.”

For the surviving claims, the court certified the case as a class action for all Canadians (except residents of Quebec, where a parallel suit is also under consideration) who applied for Capital One credit cards and had their data comprised in the breach.