Seattle-based engineer Paige Thompson was arrested Monday for allegedly hacking into Capital One’s databases and gaining access to approximately 140,000 Social Security numbers and 80,000 bank account numbers.
Capital One disclosed the massive breach in a press release Monday afternoon, noting that about 100 million people in the U.S. and 6 million people in Canada were affected in total. It’s one of the largest breaches of a major financial service.
A majority of the compromised information came from credit card application data submitted between 2005 and 2019 that included names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Credit score information, payment history, transaction data, contact information, and more were also obtained.
Capital One said it is “unlikely that the information was used for fraud or disseminated by this individual.” No credit card account numbers or log-in credentials were compromised. The incident will cost the company $100-to-$150 million this year to cover customer notifications, credit monitoring, technology costs, and legal support.
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” Capital One Chairman and CEO Richard D. Fairbank said in a statement. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
The U.S. Attorney’s Office of the Western District of Washington issued its own release. According to the complaint, which you can read here, Thompson — also known by the alias “erratic” — hacked into a misconfigured web application firewall. She posted about the theft on GitHub; a GitHub user, referred to as an ethical security researcher, alerted Capital One to the post. Two days later on July 19, the FBI was notified.
Thompson was a former Amazon Web Services employee, according to people familiar with the matter. The complaint notes that Thompson worked at a “cloud computing company” as a systems engineer from 2015 to 2016, but did not name the company.
The complaint details how FBI agents were able to tie together postings on GitHub, Slack, and Twitter to ultimately trace the hack to Thompson. Here’s a screenshot from a Slack thread included in the complaint.
Thompson obtained data stored by Capital One “at the cloud computing company,” according to the complaint.
Capital One is an Amazon Web Services customer. The banking giant noted that “this type of vulnerability is not specific to the cloud. The elements of infrastructure involved are common to both cloud and on-premises data center environments.”
The hack took place on March 22 and 23, according to Capital One. Update: Brian Krebs, a cybersecurity expert, reported that other companies could come out with similar disclosures based on his investigation of Slack posts made by Thompson.
Investigators arrested Thompson inside her residence and seized numerous devices. Thompson, 33, appeared in U.S. District Court today in Seattle. Another person at the house, 66-year-old Park Quan, was also arrested for illegal possession of approximately 20 firearms.
Computer fraud and abuse is punishable by up to five years in prison and a $250,000 fine. A hearing is scheduled for August 1.
Read the full complaint below.