A newly disclosed data breach from Capital One affecting roughly 106 million consumers in North America has sparked an investigation from New York’s attorney general, though more are likely to follow.
Letitia James said Tuesday her office will launch an “immediate investigation” into the intrusion, which was revealed by Capital One on Monday night.
“It is becoming far too commonplace that financial institutions are susceptible to hacks, begging the question: Why do these breaches continue to take place? And are companies doing enough to prevent future data breaches?” James said, adding, “We cannot allow hacks of this nature to become every day occurrences.”
James said she will work to ensure any New Yorkers impacted by the breach are provided relief.
Capital One, headquartered in McLean, Virginia, learned of the hack this month and the FBI arrested Paige Thompson, a Seattle software engineer, in the theft of personal information from 106 million customers and credit card applicants in the United States and Canada.
Thompson, 33, stole the information from servers storing Capital One’s data and was able to hack into their system through a misconfigured web application firewall, the Justice Department said. She then listed file names from so-called buckets of information from Capital One on Github, a technology information sharing site.
A Github user who saw the post from Thompson, which was made using her real name and referenced her screen name “erratic,” informed Capital One on July 17 it may have suffered a data breach. The bank determined two days later that it had, indeed, been compromised, and subsequently contacted the FBI.
Capital One said no credit card account numbers were compromised, and the largest category of information stolen was on customers and small businesses as of the time they applied for the lender’s credit card products from 2005 through early this year. Among the data accessed was names, addresses, zip codes, phone numbers, email addresses, dates of birth, and reported income.
While the lender said more than 99% of Social Security numbers were not compromised, roughly 140,000 Social Security numbers and roughly 80,000 linked bank account numbers from Capital One credit card customers were hacked.
Capital One’s disclosure of the data breach — and subsequent investigation from the New York attorney general — comes after states and federal regulators reached a settlement with consumer credit bureau Equifax over its 2017 data breach, which exposed the personal data of nearly 150 million Americans. Under the deal, which has to receive approval from a federal court, Equifax agreed to pay at least $650 million related to the hack.
