New York Attorney General opens investigation into Capital One data breach

New York Attorney General Letitia James announced Tuesday that her office is opening an investigation into the Capital One data breach that resulted in the personal information of about 100 million American customers being illegally accessed.

“My office will begin an immediate investigation into Capital One’s breach, and will work to ensure that New Yorkers who were victims of this breach are provided relief,” James said in a statement. “We cannot allow hacks of this nature to become every day occurrences.”

{mosads}Also on Tuesday, Capital One was hit with its first civil lawsuit in conjunction with the breach. According to The National Law Journal, one Connecticut resident filed suit against the company on behalf of all those impacted, claiming it failed to properly secure customer data. 

The beginning of the investigation comes one day after the Department of Justice announced that former Seattle-based software engineer Paige Thompson had been arrested in connection with the theft of personal information from servers storing Capital One data. 

Thompson posted on GitHub about her theft of the data earlier this month and another user who saw the post subsequently alerted Capital One of the issue, with Capital One then reaching out to the FBI, authorities said. Thompson was able to access the data due to a “misconfigured web application firewall,” according to the Justice Department. According to Capital One she had accessed the data over two days in March. 

The breach allowed Thompson to access information including consumers’ names, some Social Security numbers, addresses, phone numbers, email addresses, and other personal data. Capital One estimated that, in addition to American customers, Thompson was also able to access the data of around six million Canadians. 

Specifically, Capital One noted that around 14,000 Social Security numbers of credit card customers were accessed, and about 80,000 linked bank account numbers of secured credit card customers were compromised. For Canadian customers, around one million Social Security numbers were compromised. 

Last week, James co-led a coalition of state attorneys general that reached what was described as the biggest data breach settlement in history in securing a settlement with credit agency Equifax in conjunction with its 2017 data breach that compromised the personal data of nearly half the U.S. population. 

In announcing the investigation into the Capital One breach, James noted, “It is becoming far too commonplace that financial institutions are susceptible to hacks, begging the questions: Why do these breaches continue to take place? And are companies doing enough to prevent future data breaches?” 

Capital One put out a statement on Monday, stressing that it had immediately fixed the system vulnerability that allowed Thompson access to the data and that the company believes it is “unlikely that the information was used for fraud or disseminated by this individual.”

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” Capital One Chairman and CEO Richard Fairbank said in a statement. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.” 

Some lawmakers immediately vowed action in response to the breach. 

Sen. Ron Wyden (D-Ore,) the top Democrat on the Senate Finance Committee, tweeted, “I’m sick of waking up to headlines revealing that millions of Americans had their information stolen because a billion-dollar company failed Cybersecurity 101. Corporations will only take Americans’ privacy seriously when CEOs are held personally accountable.”

A spokesperson for Senate Banking Committee Chairman Mike Crapo (R-Idaho) told The Hill that the committee “is looking into the matter and will investigate it further, especially in light of Sen. Crapo looking at legislation on data privacy and safeguards.” 

Sen. Sherrod Brown (D-Ohio), the ranking member on the Senate Banking Committee, told The Hill on Tuesday that he would support his committee holding hearings to investigate the incident. 

“I support making them responsible and hopefully more contrite than Equifax was,” Brown added.