Want the best of VICE News straight to your inbox? Sign up here.
The hacker who bragged about stealing personal data on 106 million Capital One customers in the U.S. and Canada was arrested and charged on Monday.
Paige Adele Thompson, 33, was arrested at her home in Seattle. FBI agents tracked her down after she boasted online about the alleged hack, using the name “erratic.”
Thompson appeared in court Monday and was charged with computer fraud and abuse. She will appear in court again Thursday and faces up to five years in prison and a maximum fine of $250,000.
According to the Justice Department indictment, Thompson stole the information from servers hosted by Amazon, where she worked for almost 18 months, according to her online resume. The data was stolen between March and July of this year.
Capital One only became aware of the breach on July 17, when someone emailed the company to say Thompson had posted information about how she obtained the data on GitHub, which software developers use to share code.
Capital One said the data breach affected up to 100 million people in the U.S. and 6 million in Canada, but the financial giant has tried to play down the severity of the breach, claiming none of the stolen information has been used for fraudulent activity.
Capital One is the latest in a long string of major U.S. companies to suffer a large data breach. Just last week, Equifax agreed to pay at least $700 million to settle lawsuits over a 2017 breach that exposed the Social Security numbers and other sensitive information of roughly half of the U.S. population.
READ MORE: Russia is still trying to hack the DNC
What information was stolen?
According to Capital One, details from 106 million credit card applications by individuals and small businesses were compromised in the breach. This would have included personal information such as names, addresses, zip codes, phone numbers, email addresses, dates of birth, and self-reported income.
The compromised data was submitted to Capital One by credit card applicants as far back as 2005 and as recently as early 2019.
The breach also compromised 140,000 Social Security numbers and 80,000 linked bank account numbers in the U.S. In Canada, one million Social Insurance numbers were compromised.
How did the hacker get in?
The company has provided little information about what made the hack possible, saying only it was the result of a “configuration vulnerability” that it has since fixed.
The FBI indictment, however, gives more details on how the information was obtained.
It states that a “firewall misconfiguration permitted commands to reach and be executed" by Capital One's cloud-based storage servers. This means that the intruder was able to breach the security measures put in place by Capital One and request the data stored on the servers without needing the proper authorization.
The hacker used several methods to mask her identity and location, including a virtual private network service and the anonymous TOR browser.
However, the FBI linked the activity to Thompson, because she used her full real name on GitHub, where her posts contained information about Capital One's systems. Separately, the FBI claims Thompson boasted about her attack on a Slack channel, saying she could not be tracked because of the anonymization methods she used.
Who is the alleged hacker?
Thompson is a 33-year-old software engineer who attended Bellevue College in Washington State in 2005, according to her online resume. But she “left early to pursue a career opportunity.”
She has operated a website and email hosting company called Netcrave Communications since 1999, and has worked at a number of companies in or around Seattle since. Her last listed role was with Amazon’s Simple Storage Services (S3) as a Level 4 systems engineer, a role that ended in September 2016.
Thompson was an active social media user, with at least two Twitter accounts, one of which has now been suspended.
How has Capital One responded?
The company has apologized and said it will be offering free credit monitoring to everyone affected.
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” Richard Fairbank, Capital One CEO and chairman, said in a statement. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
Those affected will be alerted to the breach by Capital One and offered free identity theft and credit monitoring protection. The company has set up an FAQ for people looking for more details.
The company added that it was “unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate.”
What do the experts say?
The company says it has fixed the vulnerability used in this breach, but experts worry about how long it took for the company to identify the breach in the first place.
“Given Capital One’s immense capacity to invest into cybersecurity and the allegedly trivial nature of the vulnerability, such protracted detection timeline is incomprehensibly huge,” Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, said in an emailed statement to VICE News. “Legal ramifications of the breach may be both exorbitant and protracted, including regulatory fines and penalties, individual and class action lawsuits by the victims.”
In the end, it was not Capital One that spotted the breach but someone outside the company.
“Capital One didn’t even know they’d been breached until an external party notified of them on Wednesday 17th July that their customer data appeared to be showing up on GitHub,” Matt Walmsley, EMEA Director at cybersecurity company Vectra, said in an emailed statement to VICE News. ”Yet again, we see another big breach where defensive controls fail and detection capabilities are found wanting.”
Cover: In this July 16, 2019, photo, a man walks across the street from a Capital One location in San Francisco. Capital One says a hacker got access to the personal information of over 100 million individuals applying for credit. The McLean, Virginia-based bank said Monday, July 29, it found out about the vulnerability in its system July 19 and immediately sought help from law enforcement to catch the perpetrator. (AP Photo/Jeff Chiu)