Seattle-based engineer Paige Thompson was arrested Monday for allegedly hacking into Capital One’s databases and gaining access to approximately 140,000 Social Security numbers and 80,000 bank account numbers.
Capital One disclosed the massive breach in a press release Monday afternoon, noting that about 100 million people in the U.S. and 6 million people in Canada were affected in total. A majority of the comprised information came from credit card application data submitted between 2005 and 2019 that included names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Credit score information, payment history, transaction data, contact information, and more were also obtained.
The U.S. Attorney’s Office of the Western District of Washington issued its own release. According to the complaint, which you can read here, Thompson — also known by the alias “erratic” — hacked into a misconfigured web application firewall. She posted about the theft on GitHub; a GitHub user later alerted Capital One about the post, and two days later the FBI was notified.
Thompson was a former Amazon Web Services employee, according to people familiar with the matter. The complaint notes that Thompson worked at a “cloud computing company” as a systems engineer from 2015 to 2016, but did not name the company.
The complaint details how FBI agents were able to tie together postings on GitHub, Slack, and Twitter to ultimately trace the hack to Thompson. Here’s a screenshot from a Slack thread included in the complaint.
Thompson breached the servers Capital One rented from the “cloud computing company,” according to the complaint. Capital One is an Amazon Web Services customer.
The hack took place between on or about March 12 and on or about July 17.
Investigators arrested Thompson inside her residence and seized numerous devices. Thompson, 33, appeared in U.S. District Court today in Seattle.
Computer fraud and abuse is punishable by up to five years in prison and a $250,000 fine. A hearing is scheduled for August 1.
Capital One said it is “unlikely that the information was used for fraud or disseminated by this individual.” No credit card account numbers or log-in credentials were compromised. The incident will cost the company $100-to-$150 million this year.
The banking giant also noted that “this type of vulnerability is not specific to the cloud. The elements of infrastructure involved are common to both cloud and on-premises data center environments.”
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” Capital One Chairman and CEO Richard D. Fairbank said in a statement. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
Read the full complaint below.
Capital One hack complaint by GeekWire on Scribd