Following news this week that a mammoth data breach affected the personal information of millions of Capital One users, and with an individual now arrested in connection to the incident, Attorney General Letitia James of New York has announced her office is launching an “immediate” probe into the breach.
“We will begin an immediate investigation into the [Capital One] breach, and will work to ensure that New Yorkers who were victims of this breach are provided relief,” James tweeted Tuesday, just a day after the breach was made public. “These hacks are becoming far too commonplace and we cannot allow this to become every day occurrences.”
Capital One announced this week that it became aware that a vulnerability exposed the personal data of roughly 100 million people in the U.S. and an estimated 6 million in Canada. That information included names, email addresses, phone numbers, dates of birth, income and credit data, bank account balances, and some transaction data spanning 23 days between 2016 and 2018. In addition, 140,000 Social Security numbers and 80,000 bank account numbers were compromised.
While Capital One said it became aware of the issue on July 17 after being contacted by an outside security researcher and immediately moved to action, the unauthorized access is believed to have taken place in March. The Justice Department announced Monday that 33-year-old Paige Thompson, a software engineer and former Amazon Web Services employee, had been arrested in connection with the hack.
Authorities were reportedly pointed to Thompson by a trail she left online after posting about the crime. According to the Justice Department, a GitHub user on July 17 saw a post by Thompson regarding the hack of Capital One information. That individual then contacted the bank, which contacted the FBI about the incident. Drives containing a copy of the stolen data were reportedly discovered during a search of Thompson’s home this week.
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” Richard Fairbank, chairman and CEO of Capital One, said in a statement. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
According to the bank, 99 percent of Social Security numbers were not exposed, and no Capital One login credentials or credit card account numbers were compromised either. The company said this week it will contact those whose information was exposed and will offer free credit monitoring and identify protection to affected parties.
The company further noted that based on its current information, “we believe it is unlikely that the information was used for fraud or disseminated by this individual.”