New York State Attorney General Letitia James New York State Attorney General Letitia James outside the U.S. Supreme Court on April 23, 2019.

New York Attorney General Letitia James has launched an investigation into the major data breach announced Tuesday by Capital One, which resulted in the personal information of 100 million consumers being illegally accessed by a hacker in Seattle.

James, whose office recently co-led a massive settlement with Equifax over its own data breach from 2017, was critical of Capital One in a statement announcing the probe Tuesday.

“It is becoming far too commonplace that financial institutions are susceptible to hacks, begging the questions: Why do these breaches continue to take place?” James said. “And are companies doing enough to prevent future data breaches?”

James said her office has launched an investigation into the data breach, which happened earlier this year but wasn't discovered by Capital One until about two weeks ago. Paige Thompson, a former software engineer from Seattle, is accused of performing the breach, according to federal prosecutors in Washington state.

Thompson is alleged to have posted on the information sharing site GitHub about the breach, saying that she had accessed servers that store Capital One's data, the U.S. Attorney's Office for the Western District of Washington said. Someone on the website saw Thompson's post and told Capital One.

Capital One, two days later, told the FBI about the breach. Cyber investigators identified Thompson as the perpetrator. She was arrested Monday and is scheduled for a hearing later this week.

James said that Capital One should have had stronger safeguards to prevent Thompson from accessing the information, which included such data as consumer's names and Social Security numbers.

“Though Capital One's breach was internal, the fact still remains that safeguards were missing that allowed for the illegal access of consumers' names, Social Security numbers, dates of birth, addresses, and other highly sensitive, personal information,” James said.

The New York Attorney General's Office will be working to ensure that any victims of the breach from New York are provided appropriate relief, James said. Her office did not say who would be leading the investigation into the breach.

“We cannot allow hacks of this nature to become everyday occurrences,” James said.

Representatives from Capital One did not immediately respond to a request for comment on the investigation announced by James.

State officials in New York have moved in recent years to strengthen the state's cybersecurity protections, both through regulations and action by the state Legislature. That's been in response to the Equifax breach, which exposed the personal data of more than half of the U.S. adult population and has been considered one of the largest digital security events in history.

The New York State Department of Financial Services, for example, developed a stringent set of cybersecurity regulations in recent years that have been used as a model for other states to follow. The regulations established minimum security requirements for companies operating in New York.

Linda Lacewell, the superintendent of New York's Department of Financial Services and the top banking regulator in the state, said Tuesday her agency has been monitoring reports of the data breach at Capital One, which is regulated by the U.S. Office of the Comptroller of the Currency, not the state. 

“Today's news about Capital One is just the most recent breach threatening the financial security and privacy of our consumers,” Lacewell said. “These attacks are occurring with alarming regularity, and we remind all DFS-regulated entities to comply with required updates to their information and technology systems and to meet the standards set by New York's cybersecurity regulation.”

Also Tuesday a civil suit was filed by a Manhattan lawyer in District of Columbia federal district court over the breach.

State lawmakers also approved earlier this year the Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act, to boost digital security for consumers. The law, which hasn't yet taken effect, will add new requirements for when consumers should be notified of a data breach and set a new standard for digital security at companies that serve New Yorkers.

James was a major proponent of the legislation, which was first pushed by her predecessors in the wake of the Equifax breach. It will enable the New York Attorney General's Office to oversee and fine companies that fail to safeguard the person information of consumers. 

The New York Attorney General's Office was also among the first to launch a probe into the Equifax data breach when it was made public in 2017. That, along with a series of other investigations into the event, ended last week with a $1.4 billion global settlement from the credit reporting agency. About $19 million of that was secured by New York.

Bernstein Liebhard, a corporate governance law firm in Manhattan, also said this week that it's leading an investigation into the data breach on behalf of shareholders of Capital One. The firm said in a release that it's investigating securities fraud claims related to the incident.

READ MORE:

Capital One Hit With First Civil Suit Over Data Breach, in DC Federal Court

Equifax to Pay New York $19.1 Million as Part of Settlement Over Data Breach

Equifax Reaches $1.4 Billion Data Breach Settlement in Consumer Class Action

AG James Backs Data Breach Protection Act Passed by Legislature