Capital One breach spurs investigation by New York attorney general

The investigation comes the day after the banking company announced more than 100 million people were affected by the breach.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
2 min read
Capital One Financial's offices in San Francisco

Capital One Financial's offices in San Francisco

Stephen Shankland/CNET

New York Attorney General Letitia James is opening an investigation into a massive hack of Capitol One that affects more than 100 million people. 

The call for the investigation comes less than a day after Capital One announced the breach

The breach affected people who applied for a credit card from the US bank over the last 14 years, with the theft of sensitive data including Social Security numbers, bank account numbers and about 1 million Canadian social insurance numbers. The hacker also stole victims' names, addresses, ZIP codes, phone numbers, email addresses and dates of birth. 

"My office will begin an immediate investigation into Capital One's breach, and will work to ensure that New Yorkers who were victims of this breach are provided relief. We cannot allow hacks of this nature to become every day occurrences," James said in a statement.

Watch this: Capital One's data breach and how criminals could use the stolen data

While the breach of Capital One data on Amazon Web Services' cloud server started in March, the bank wasn't aware of the infiltration until a security researcher notified the company through its responsible disclosure email on July 17. 
The FBI arrested the alleged hacker, Paige Thompson, 33, on Monday and said in court documents that she had posted details about the breach on a GitHub page in April. Thompson was an employee at Amazon Web Services from 2015 to 2016.

This incident comes in the wake of news that Equifax may have to pay up to $700 million over a 2017 data breach. That breach of Equifax's servers involved the Social Security numbers and home addresses of nearly 148 million Americans. 

At an AWS conference in 2015, Capital One Chief Information Officer Rob Alexander said the bank had "worked closely with the Amazon team to develop a security model." 

Thompson allegedly gained access to Capital One's servers through a misconfigured firewall, according to court documents. Capital One said it didn't believe that the data stolen was used for fraud or spread online, and estimates that the hack will cost the company $100 million to $150 million this year. 

James' office had co-led the lawsuit against Equifax, after its 2017 breach, along with 49 other state attorney generals, resulting in the largest data breach settlement in history, with a potentially $700 million payment. 

The attorney general criticized Capital One for failing to provide safeguards that would have protected millions of people's data. 

"It is becoming far too commonplace," she said in a statement, "that financial institutions are susceptible to hacks, begging the questions: Why do these breaches continue to take place? And are companies doing enough to prevent future data breaches?
Originally published at 6:58 a.m. PT.
Updated at 7:05 a.m. PT: To include background details.