NY AG James Launches Investigation Into Capital One Data Breach
James, whose office recently co-led a massive settlement with Equifax over its own data breach from 2017, was critical of Capital One in a statement announcing the probe Tuesday.
July 30, 2019 at 11:30 AM
5 minute read
New York Attorney General Letitia James has launched an investigation into the major data breach announced Tuesday by Capital One, which resulted in the personal information of 100 million consumers being illegally accessed by a hacker in Seattle.
James, whose office recently co-led a massive settlement with Equifax over its own data breach from 2017, was critical of Capital One in a statement announcing the probe Tuesday.
“It is becoming far too commonplace that financial institutions are susceptible to hacks, begging the questions: Why do these breaches continue to take place?” James said. “And are companies doing enough to prevent future data breaches?”
James said her office has launched an investigation into the data breach, which happened earlier this year but wasn't discovered by Capital One until about two weeks ago. Paige Thompson, a former software engineer from Seattle, is accused of performing the breach, according to federal prosecutors in Washington state.
Thompson is alleged to have posted on the information sharing site GitHub about the breach, saying that she had accessed servers that store Capital One's data, the U.S. Attorney's Office for the Western District of Washington said. Someone on the website saw Thompson's post and told Capital One.
Capital One, two days later, told the FBI about the breach. Cyber investigators identified Thompson as the perpetrator. She was arrested Monday and is scheduled for a hearing later this week.
James said that Capital One should have had stronger safeguards to prevent Thompson from accessing the information, which included such data as consumer's names and Social Security numbers.
“Though Capital One's breach was internal, the fact still remains that safeguards were missing that allowed for the illegal access of consumers' names, Social Security numbers, dates of birth, addresses, and other highly sensitive, personal information,” James said.
The New York Attorney General's Office will be working to ensure that any victims of the breach from New York are provided appropriate relief, James said. Her office did not say who would be leading the investigation into the breach.
“We cannot allow hacks of this nature to become everyday occurrences,” James said.
Representatives from Capital One did not immediately respond to a request for comment on the investigation announced by James.
State officials in New York have moved in recent years to strengthen the state's cybersecurity protections, both through regulations and action by the state Legislature. That's been in response to the Equifax breach, which exposed the personal data of more than half of the U.S. adult population and has been considered one of the largest digital security events in history.
The New York State Department of Financial Services, for example, developed a stringent set of cybersecurity regulations in recent years that have been used as a model for other states to follow. The regulations established minimum security requirements for companies operating in New York.
Linda Lacewell, the superintendent of New York's Department of Financial Services and the top banking regulator in the state, said Tuesday her agency has been monitoring reports of the data breach at Capital One, which is regulated by the U.S. Office of the Comptroller of the Currency, not the state.
“Today's news about Capital One is just the most recent breach threatening the financial security and privacy of our consumers,” Lacewell said. “These attacks are occurring with alarming regularity, and we remind all DFS-regulated entities to comply with required updates to their information and technology systems and to meet the standards set by New York's cybersecurity regulation.”
Also Tuesday a civil suit was filed by a Manhattan lawyer in District of Columbia federal district court over the breach.
State lawmakers also approved earlier this year the Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act, to boost digital security for consumers. The law, which hasn't yet taken effect, will add new requirements for when consumers should be notified of a data breach and set a new standard for digital security at companies that serve New Yorkers.
James was a major proponent of the legislation, which was first pushed by her predecessors in the wake of the Equifax breach. It will enable the New York Attorney General's Office to oversee and fine companies that fail to safeguard the person information of consumers.
The New York Attorney General's Office was also among the first to launch a probe into the Equifax data breach when it was made public in 2017. That, along with a series of other investigations into the event, ended last week with a $1.4 billion global settlement from the credit reporting agency. About $19 million of that was secured by New York.
Bernstein Liebhard, a corporate governance law firm in Manhattan, also said this week that it's leading an investigation into the data breach on behalf of shareholders of Capital One. The firm said in a release that it's investigating securities fraud claims related to the incident.
READ MORE:
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllGovernment Attorneys Are Flooding the Job Market, But Is There Room in Big Law?
4 minute readTrump, ABC News Settlement in Defamation Lawsuit Includes $1M in Attorney Fees For President-Elect
Can Law Firms Avoid Landing on 'Enemy' List During the Trump Administration?
5 minute readTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250