Senate Banking Chairman Michael D. Crapo and New York state Attorney General Letitia James said they will probe the data breach suffered by credit card issuer Capital One, which the company reported late Monday.
“I have concerns about all aspects of this,” Crapo said about the Capital One breach during a Tuesday morning hearing on cryptocurrencies. “We want to understand how this happened, how other breaches happened … and we want to know how vulnerabilities [appear] in systems and figure out what we must do to deal with them at a policy level. I don’t have answers yet, but yes, we need to figure that out and we do have concerns about those vulnerabilities.”
In New York, James issued a statement saying, “My office will begin an immediate investigation into Capital One’s breach, and will work to ensure that New Yorkers who were victims of this breach are provided relief. We cannot allow hacks of this nature to become every day occurrences.”
James’ office joined attorneys general from 49 other states to sue and win a $700 million settlement last week from credit score reporting agency Equifax Inc. for its 2017 breach that led to information from 147 million consumers being lost to hackers.
Although Congress held hearings and scolded Equifax’s executives, lawmakers have not passed federal data breach legislation, leaving states to take the lead in holding companies accountable for such breaches.
Last week New York Governor Andrew Cuomo signed into law the SHIELD Act, which governs data breach notification requirements, consumer data protection obligations, and broadens the attorney general’s oversight regarding data breaches impacting New Yorkers. The act goes into effect March 2020 and tightens existing provisions.
James said the law was a top legislative priority for her and would be used to fine companies that fail to safeguard consumers’ data.
Separately, Cuomo also signed into law last week another bill that would require credit reporting agencies that suffer data breaches to provide five years of identity theft prevention services to consumers at no cost to them. That law goes into effect in 60 days.
Credit card issuer Capital One said that a hacker had breached the company’s computer system and took information that consumers and small businesses provide when applying for credit cards. The breach affects at least 100 million Americans and 6 million Canadians, the company said Monday.
The FBI has arrested the person responsible for the hacking, according to Capital One. Separately, news reports citing court records said the agency had arrested Paige A. Thompson, a Seattle-area woman, on charges of computer fraud and abuse. The woman had reportedly worked for Amazon Web Services, the provider of cloud computing services to the company, according to news reports.
In addition to credit card application information, which includes names, addresses, phone numbers, dates of birth and self-reported income, the hacker also obtained information on credit scores, balances, payment histories, as well as transaction details for short periods of time.
The hack did not lead to loss of bank account numbers, Social Security numbers, or login information, the bank said, with the exception of 140,000 customers who used Social Security numbers as part of their application.
“I sincerely apologize for the understandable worry this incident must be causing,” Richard D. Fairbank, the company’s CEO said in a statement.
The hacker breached the company’s cloud system using a “specific vulnerability in our infrastructure,” Capital One said. The breach came to light after a security researcher alerted the company on July 17 using its disclosure program, which allows researchers to alert companies and agencies to potential breaches.
The company investigated and found that the breach had occurred on March 22 and 23, according to Capital One.
While the company routinely encrypts its data, the hacker had managed to decrypt the information, the company said, adding that the breach could cost the company about $150 million.