New York Attorney General opens investigation into Capital One data breach

New York Attorney General opens investigation into Capital One data breach
© Getty Images

New York Attorney General Letitia James announced Tuesday that her office is opening an investigation into the Capital One data breach that resulted in the personal information of about 100 million American customers being illegally accessed.

“My office will begin an immediate investigation into Capital One’s breach, and will work to ensure that New Yorkers who were victims of this breach are provided relief,” James said in a statement. “We cannot allow hacks of this nature to become every day occurrences.”

ADVERTISEMENT

Also on Tuesday, Capital One was hit with its first civil lawsuit in conjunction with the breach. According to The National Law Journal, one Connecticut resident filed suit against the company on behalf of all those impacted, claiming it failed to properly secure customer data. 

The beginning of the investigation comes one day after the Department of Justice announced that former Seattle-based software engineer Paige Thompson had been arrested in connection with the theft of personal information from servers storing Capital One data. 

Thompson posted on GitHub about her theft of the data earlier this month and another user who saw the post subsequently alerted Capital One of the issue, with Capital One then reaching out to the FBI, authorities said. Thompson was able to access the data due to a “misconfigured web application firewall,” according to the Justice Department. According to Capital One she had accessed the data over two days in March. 

The breach allowed Thompson to access information including consumers’ names, some Social Security numbers, addresses, phone numbers, email addresses, and other personal data. Capital One estimated that, in addition to American customers, Thompson was also able to access the data of around six million Canadians. 

Specifically, Capital One noted that around 14,000 Social Security numbers of credit card customers were accessed, and about 80,000 linked bank account numbers of secured credit card customers were compromised. For Canadian customers, around one million Social Security numbers were compromised. 

Last week, James co-led a coalition of state attorneys general that reached what was described as the biggest data breach settlement in history in securing a settlement with credit agency Equifax in conjunction with its 2017 data breach that compromised the personal data of nearly half the U.S. population. 

In announcing the investigation into the Capital One breach, James noted, “It is becoming far too commonplace that financial institutions are susceptible to hacks, begging the questions: Why do these breaches continue to take place? And are companies doing enough to prevent future data breaches?” 

Capital One put out a statement on Monday, stressing that it had immediately fixed the system vulnerability that allowed Thompson access to the data and that the company believes it is “unlikely that the information was used for fraud or disseminated by this individual.”

"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," Capital One Chairman and CEO Richard Fairbank said in a statement. "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right." 

Some lawmakers immediately vowed action in response to the breach. 

Sen. Ron WydenRonald (Ron) Lee WydenWyden blasts FEC Republicans for blocking probe into NRA over possible Russia donations Wyden calls for end to political ad targeting on Facebook, Google Ex-CIA chief worries campaigns falling short on cybersecurity MORE (D-Ore,) the top Democrat on the Senate Finance Committee, tweeted, “I’m sick of waking up to headlines revealing that millions of Americans had their information stolen because a billion-dollar company failed Cybersecurity 101. Corporations will only take Americans’ privacy seriously when CEOs are held personally accountable.”

A spokesperson for Senate Banking Committee Chairman Mike CrapoMichael (Mike) Dean CrapoA US-UK free trade agreement can hold the Kremlin to account Oversight Republicans demand answers on Capital One data breach On The Money: Fed cuts rates for first time since financial crisis | Trump rips Fed after chief casts doubt on future cuts | Stocks slide | Senate kicks budget vote amid scramble for GOP support MORE (R-Idaho) told The Hill that the committee “is looking into the matter and will investigate it further, especially in light of Sen. Crapo looking at legislation on data privacy and safeguards.” 

Sen. Sherrod BrownSherrod Campbell BrownThe Hill's Campaign Report: Battle for Senate begins to take shape Dayton Democrat launches challenge to longtime GOP rep Dayton mayor: Trump visit after shooting was 'difficult on the community' MORE (D-Ohio), the ranking member on the Senate Banking Committee, told The Hill on Tuesday that he would support his committee holding hearings to investigate the incident. 

“I support making them responsible and hopefully more contrite than Equifax was,” Brown added.