New York Attorney General's Office opens probe into Capital One data breach
Personal details of more than 100 million people in the US and Canada were compromised in the data breach - linked to a misconfigured firewall
The New York Attorney General Letitia James has announced an investigation into the massive security breach at Capital One.
The probe comes a day after the company revealed that the personal information of 106 million people in the US and Canada was compromised in the incident - 100 million in the US and six million in Canada.
"Today, 100 million consumers across America are wondering if they were unfortunate enough to be a victim of the most recent data breach. Though Capital One ' s breach was internal, the fact still remains that safeguards were missing that allowed for the illegal access of consumers ' names, Social Security numbers, dates of birth, addresses, and other highly sensitive, personal information," James said in a statement.
"My office will begin an immediate investigation into Capital One ' s breach, and will work to ensure that New Yorkers who were victims of this breach are provided relief. We cannot allow hacks of this nature to become everyday occurrences," she added.
On Monday, Capital One revealed that names, emails, date of births, phone numbers, addresses, and self-reported incomes of customers who applied for a credit card from the company over the past 14 years were illegally accessed by a lone hacker.
The company also said that the hacker was able to access 80,000 bank account numbers, 140,000 US Social Security Numbers, and about one million Canadian social insurance numbers.
According to the authorities, the attack was carried out by Paige Thompson, a former Amazon Web Services (AWS) engineer. Thompson, aged 33, lives in Seattle and was arrested by the FBI on Monday.
Thomson allegedly started accessing Capital One ' s data on AWS ' cloud server in March, but the bank only found out about it after receiving an email on 17th July.
The FBI told the court on Monday when Thompson was charged that she had shared details about the breach on GitHub in April and likely gained access to AWS servers through a misconfigured firewall. Thompson also left behind evidence pointing to her as the perpetrator, court documents indicate.
She faces up to five years in prison and a fine of up to $250,000.
Capital One said the compromised data was likely not leaked online, and that it has no evidence that the data has been misused. The company also estimates that the incident will cost it around $100 - $150 million in 2019.
In 2015, Capital One's CIO, Rob Alexander, said at an AWS conference that the bank was working closely with the Amazon team "to develop a security model".
This incident follows the settlement of 2017 Equifax data breach, in which personal information of as many as 147 million people were exposed.
The settlement with authorities in the Equifax data breach included a Consumer Restitution Fund of up to $425 million, a $175 million payment to the states, and injunctive relief for consumers. Consumers affected by that incident will be able to claim up to $20,000 each in compensation.
Equifax could be on the hook for as much as $700 million - a sum that indicates the kind of punishment that Capital One could be facing as the cost of a misconfigured firewall.