New York state is opening an investigation into a data breach at Capital One Financial Corp. that involves the personal information of 100 million consumers.

The breach allowed for illegal access to names, Social Security numbers, dates of birth, addresses and other highly sensitive personal information, New York Attorney General Letitia James said in a statement Tuesday.

“My office will begin an immediate investigation into Capital One’s breach, and will work to ensure that New Yorkers who were victims of this breach are provided relief,” James said in the statement. “We cannot allow hacks of this nature to become everyday occurrences.”

Capital One Financial Corp. set up an email address for tipsters—including “white hat” hackers—to alert the company to potential vulnerabilities in its computer systems. On July 17, the company got a hit.

“Hello there,” the email said, according to federal prosecutors. “There appears to be some leaked s3 data of yours in someone’s github/gist.” A link was provided to an account at GitHub, a company that allows users to manage and store project revisions, mostly related to software development.

It didn’t take Capital One long to figure out who had accessed its files. The GitHub address included a name, Paige Thompson, a former Amazon.com Inc. employee who used the online nickname “erratic” and discussed her exploits with others, according to federal prosecutors.

“I’ve basically strapped myself with a bomb vest, (expletive) dropping capitol ones dox and admitting it,” Thompson allegedly wrote, under the “erratic“ alias, in a June 18 Twitter message. “There ssns...with full name and dob”—an apparent reference to Social Security numbers.

Damage assessment
It also didn’t take Capital One much time to assess the damage. On Monday, it announced that about 100 million people in the U.S. had been impacted by the breach, and another 6 million in Canada. The illegally accessed data, which was stored on servers rented from Amazon Web Services, was primarily related to credit card applications and included personal information, like names, addresses and dates of birth, and some financial information, including self-reported income and credit scores.

Most Social Security numbers were protected, but about 140,000 were compromised, the bank said. Capital One said it was “unlikely that the information was used for fraud or disseminated by this individual.”

The company described the tipster to the hack as an “external security researcher.”

Thompson, 33, was charged with computer fraud and abuse. In a court hearing Monday, she broke down and laid her head on the defense table. On Tuesday, New York Attorney General Letitia James announced that her office is opening an investigation into the Capital One breach.

The scale of the breach ranks it as possibly one of the largest-ever impacting a U.S. bank, although the consequences may be limited if the data wasn’t distributed to others or used for fraud.

Capital One shares fell as much as 6.5 percent Tuesday morning, their biggest decline in six months.

—Bloomberg News