Capital One breach spurs investigation by New York attorney general

Capital One Financial's offices in San Francisco

Capital One Financial’s offices in San Francisco


Stephen Shankland/CNET

New York attorney general Letitia James is opening an investigation into a massive hack of Capitol One that affects more than 100 million people. 

The call for the investigation comes less than a day after Capital One announced the breach

The breach affected people who applied for a credit card from the US bank over the last 14 years, stealing sensitive data including social security numbers, bank account numbers and about 1 million Canadian social insurance numbers. The hacker also stole victims’ names, addresses, ZIP codes, phone numbers, email addresses and birthdates. 

“My office will begin an immediate investigation into Capital One’s breach, and will work to ensure that New Yorkers who were victims of this breach are provided relief. We cannot allow hacks of this nature to become every day occurrences,” James said in a statement.

While the alleged hacker had infiltrated Capital One’s Amazon Web Services’ cloud server since March, the bank was not aware of the breach until a security researcher notified the company through its responsible disclosure email on July 17. 

FBI arrested the alleged hacker, Paige Thompson, 33, on Monday, and said in court documents that she had posted details about the breach on a GitHub page in April. Thompson was a former employee at AWS from 2015 to 2016. 

At AWS’s conference in 2015, Capital One’s chief information officer Rob Alexander said that the bank had “worked closely with the Amazon team to develop a security model.” 

Thompson allegedly gained access to Capital One’s servers through a misconfigured firewall, according to court documents. Capital One said it did not believe that the data stolen was used for fraud or spread online, and estimates the hack will cost the company $100 million to $150 million this year. 

James’ office had co-led the lawsuit against Equifax along with 49 other state attorney generals, resulting in the largest data breach settlement in history with a $600 million payment. 

The attorney general criticized Capital One for failing to provide safeguards that would have protected millions of people’s data. 

“It is becoming far too commonplace that financial institutions are susceptible to hacks, begging the questions: Why do these breaches continue to take place? And are companies doing enough to prevent future data breaches?,” she said in a statement.

Originally published at 6:58 a.m. PT.
Updated at 7:05 a.m. PT: To include background details.