Capital One Says Hacker Stole Data of 100 Million People

In one of the largest thefts of data from a bank, a software engineer in Seattle hacked into a server holding customer information for Capital One and stole millions of credit card applications, federal prosecutors said on Monday.

The suspect, Paige Thompson, left a trail online for investigators to follow, according to court documents in Seattle, where she was charged.

Ms. Thompson was not shy about her work as a hacker. She is listed as the organizer of a group on Meetup, a social network, called Seattle Warez Kiddies, described as a gathering for “anybody with an appreciation for distributed systems, programming, hacking, cracking.” The F.B.I. noticed her activity on Meetup and used it to trace her other online activities, eventually linking her to posts describing the data theft on Twitter and the Slack messaging service.

“I’ve basically strapped myself with a bomb vest,” Ms. Thompson wrote in a Slack post, according to prosecutors, “dropping capital ones dox and admitting it.”

Online, she used the name “erratic,” investigators said, adding that they verified her identity after she posted a photograph of an invoice she had received from a veterinarian caring for one of her pets.

According to court papers and Capital One, Ms. Thompson stole 140,000 Social Security numbers and 77,000 bank account numbers in the breach.

More than 100 million people in the United States and Canada were affected, the company said Monday. The breach also compromised one million Canadian social insurance numbers — the equivalent of Social Security numbers for Americans.

“Based on our analysis to date,” the bank said in a statement, “we believe it is unlikely that the information was used for fraud or disseminated by this individual.”

The F.B.I. agent who investigated the breach said in court papers that a “firewall misconfiguration” by the bank had allowed Ms. Thompson to communicate with the server where Capital One was storing its information and, eventually, gain access to customer files.

“I am deeply sorry for what has happened,” the bank’s chief executive, Richard D. Fairbank, said in a statement. “I sincerely apologize for the understandable worry this incident must be causing those affected, and I am committed to making it right.”

While the breach was possible thanks to a security lapse by Capital One, it was aided by Ms. Thompson’s expertise. Information posted on social media shows she worked at one time for Amazon, as an engineer for the same server business that court papers in her case said Capital One was using.

Amazon representatives did not immediately respond to requests for comment.

In a breach in 2017, Capital One notified customers that a former employee may have had access for nearly four months to their personal data, including account numbers, telephone numbers, transaction history and Social Security numbers. The company reported a similar breach involving an employee in 2014.

Last week, the credit bureau Equifax settled claims from a 2017 data breach that exposed sensitive information on over 147 million consumers, costing it about $650 million.

Reporting was contributed by Adam Goldman, Ben Protess, Stacy Cowley and Tiffany Hsu.

Source: Read Full Article