In the US and Canada, approximately 106 million individuals had their personal details stolen in a hack targeting Capital One. Paige Thompson was arrested on Monday after reportedly boasting about the breach online. According to Capital One, the data included names, addresses and phone numbers of people who applied for its products. However, the hacker did not gain access to credit card account numbers.
The data breach is believed to be one of the largest in banking history.
How Capital One got hacked
According to the complaint, Thompson shared the information on GitHub, using her first, middle and last name. She also boasted on social media that she had gained access to Capital One information.
In a channel on work communications platform Slack, Thompson explained what she did to break into Capital One, according to the Justice Department. She claimed to use a special command in Amazon’s servers to extract files in a Capital One directory.
“I wanna get it off my server that’s why I’m archiving all of it lol,” Thompson allegedly posted on Slack. This alarmed one person, writing that the information was “sketchy,” adding, “don’t go to jail plz.”
Very little effort was made on Thompson’s part to hide her identity. She allegedly used the screen name “erratic” on slack. This was also the same handle she used on a Twitter account and a Meetup chatroom page.
The FBI special agent who investigated Thompson believes Thompson tweeted her desires to expose social security numbers, as well as full names and dates of birth.
An individual who saw the information on GitHub was quick to notify Capital One of the situation. Capital One notified the FBI, who investigated further and found devices in her possession that reference Capital One and Amazon, as well as other organisations that may have been targeted.
How many people have been affected?
In a recent statement by Capital One, approximately 140,000 social security numbers and 80,000 linked bank account numbers were compromised in the US. In Canada, around 1 million insurance numbers belonging to Capital One credit card customers were also compromised.
Capital One said Thompson was able to “exploit a configuration vulnerability” in the company’s infrastructure. She was also able to obtain credit scores, limits, balances, and payment history.
How has Capital One reacted?
Capital One said the chances of the information being used for fraud was unlikely, but it would continue to investigate the breach.
Chairman Richard Fairbank said in a statement: “While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened. I sincerely apologise for the understandable worry this incident must be causing those affected and I am committed to making it right.”
Ms Thompson faces a maximum sentence of five years in prison and a $250,000 (£204,713) fine.
Join us for ESRM UK
Join us for ESRM on 27th November to discuss how with the increasing accessibility of technology, we all have a role to play in visualising opportunities while ensuring that we are not burdened from doing so due to a lack of internal talent, qualified processes or external interference.