New York Attorney General opens investigation into Capital One data breach

New York Attorney General opens investigation into Capital One data breach
© Getty Images

New York Attorney General Letitia James announced Tuesday that her office is opening an investigation into the Capital One data breach that resulted in the personal information of about 100 million American customers being illegally accessed.

“My office will begin an immediate investigation into Capital One’s breach, and will work to ensure that New Yorkers who were victims of this breach are provided relief,” James said in a statement. “We cannot allow hacks of this nature to become every day occurrences.”

ADVERTISEMENT

Also on Tuesday, Capital One was hit with its first civil lawsuit in conjunction with the breach. According to The National Law Journal, one Connecticut resident filed suit against the company on behalf of all those impacted, claiming it failed to properly secure customer data. 

The beginning of the investigation comes one day after the Department of Justice announced that former Seattle-based software engineer Paige Thompson had been arrested in connection with the theft of personal information from servers storing Capital One data. 

Thompson posted on GitHub about her theft of the data earlier this month and another user who saw the post subsequently alerted Capital One of the issue, with Capital One then reaching out to the FBI, authorities said. Thompson was able to access the data due to a “misconfigured web application firewall,” according to the Justice Department. According to Capital One she had accessed the data over two days in March. 

The breach allowed Thompson to access information including consumers’ names, some Social Security numbers, addresses, phone numbers, email addresses, and other personal data. Capital One estimated that, in addition to American customers, Thompson was also able to access the data of around six million Canadians. 

Specifically, Capital One noted that around 14,000 Social Security numbers of credit card customers were accessed, and about 80,000 linked bank account numbers of secured credit card customers were compromised. For Canadian customers, around one million Social Security numbers were compromised. 

Last week, James co-led a coalition of state attorneys general that reached what was described as the biggest data breach settlement in history in securing a settlement with credit agency Equifax in conjunction with its 2017 data breach that compromised the personal data of nearly half the U.S. population. 

In announcing the investigation into the Capital One breach, James noted, “It is becoming far too commonplace that financial institutions are susceptible to hacks, begging the questions: Why do these breaches continue to take place? And are companies doing enough to prevent future data breaches?” 

Capital One put out a statement on Monday, stressing that it had immediately fixed the system vulnerability that allowed Thompson access to the data and that the company believes it is “unlikely that the information was used for fraud or disseminated by this individual.”

"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," Capital One Chairman and CEO Richard Fairbank said in a statement. "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right." 

Some lawmakers immediately vowed action in response to the breach. 

Sen. Ron WydenRonald (Ron) Lee WydenRussian interference reports rock Capitol Hill McSally unveils bill to lower drug prices amid tough campaign Graham: Trump has 'all the legal authority in the world' to pardon Stone MORE (D-Ore,) the top Democrat on the Senate Finance Committee, tweeted, “I’m sick of waking up to headlines revealing that millions of Americans had their information stolen because a billion-dollar company failed Cybersecurity 101. Corporations will only take Americans’ privacy seriously when CEOs are held personally accountable.”

A spokesperson for Senate Banking Committee Chairman Mike CrapoMichael (Mike) Dean CrapoErnst endorses bipartisan Grassley-Wyden bill to lower drug prices Trump pick for Fed seat takes bipartisan fire On The Money: Economy grows 2.3 percent in 2019, slowest year under Trump | How coronavirus could impact the US economy | Farm bankruptcies jump | Pelosi not ready to back UK trade deal MORE (R-Idaho) told The Hill that the committee “is looking into the matter and will investigate it further, especially in light of Sen. Crapo looking at legislation on data privacy and safeguards.” 

Sen. Sherrod BrownSherrod Campbell BrownTrump pick for Fed seat takes bipartisan fire On The Money: Deficit spikes 25 percent through January | Mnuchin declines to say why Trump pulled Treasury nominee who oversaw Roger Stone case | Lawmakers trade insults over Trump budget cuts Mnuchin defends Treasury regulations on GOP tax law MORE (D-Ohio), the ranking member on the Senate Banking Committee, told The Hill on Tuesday that he would support his committee holding hearings to investigate the incident. 

“I support making them responsible and hopefully more contrite than Equifax was,” Brown added.