The breach affected people who applied for a credit card from the US bank over the last 14 years, with the theft of sensitive data including Social Security numbers, bank account numbers and about 1 million Canadian social insurance numbers. The hacker also stole victims' names, addresses, ZIP codes, phone numbers, email addresses and dates of birth.
"My office will begin an immediate investigation into Capital One's breach, and will work to ensure that New Yorkers who were victims of this breach are provided relief. We cannot allow hacks of this nature to become every day occurrences," James said in a statement.
Watch this: Capital One's data breach and how criminals could use the stolen data
While the breach of Capital One data on Amazon Web Services' cloud server started in March, the bank wasn't aware of the infiltration until a security researcher notified the company through its responsible disclosure email on July 17. The FBI arrested the alleged hacker, Paige Thompson, 33, on Monday and said in court documents that she had posted details about the breach on a GitHub page in April. Thompson was an employee at Amazon Web Services from 2015 to 2016.
At an AWS conference in 2015, Capital One Chief Information Officer Rob Alexander said the bank had "worked closely with the Amazon team to develop a security model."
Thompson allegedly gained access to Capital One's servers through a misconfigured firewall, according to court documents. Capital One said it didn't believe that the data stolen was used for fraud or spread online, and estimates that the hack will cost the company $100 million to $150 million this year.
James' office had co-led the lawsuit against Equifax, after its 2017 breach, along with 49 other state attorney generals, resulting in the largest data breach settlement in history, with a potentially $700 million payment.
The attorney general criticized Capital One for failing to provide safeguards that would have protected millions of people's data.
"It is becoming far too commonplace," she said in a statement, "that financial institutions are susceptible to hacks, begging the questions: Why do these breaches continue to take place? And are companies doing enough to prevent future data breaches? Originally published at 6:58 a.m. PT. Updated at 7:05 a.m. PT: To include background details.