Capital One revealed that the financial and personal data of more than 100 million customers had been compromised as a result of the hack. The data breach included the compromise of 140,000 customer social security numbers and 80,000 bank account numbers.
The contact information, birth dates, names and addresses of the bank’s users were also caught up in the hack resulting from a misconfigured firewall.
Server-side request forgery exploits involve an attacker forcing another organisation’s server to perform a task for them, according to Infosec.
Under that section of the act, businesses are prohibited from using “unfair methods of competition” and “unfair or deceptive acts or practices,” Thomson Reuters Practical Law says.
A Capital One spokesperson said the company declined to comment on the letter.
The company also told the senator that it had “reached out” to other customers the alleged hacker claimed to have successfully attack and “offered to help them assess and secure their data.”
Another investigation into the Capital One personal data breach was launched by a law firm planning to bring a class-action lawsuit against the company in August.
