Software engineer Paige Thompson, 33, allegedly boasted about the hack and left crumbs for investigators to follow, The New York Times reported. Thompson formerly worked for Amazon Web Services, which hosted the Capital One database that was breached.
Seattle-based Thompson was charged with one count of computer fraud and abuse following her arrest on Monday (July 30).
“I’ve basically strapped myself with a bomb vest,” Ms. Thompson wrote in a Slack post, according to prosecutors, “dropping capital ones dox and admitting it,” the NYT said.
The F.B.I. noticed her activity on a Meetup she organizes called Seattle Warez Kiddies, which is for people into “hacking, cracking.” This led a GitHub post and to the incriminating Slack message and Tweet. Online, she used the name “erratic.”
Court documents filed with Seattle’s District Court state that Thompson appeared to brag about the information she had accessed related to Capital One. The documents said Thompson accessed the data through a “misconfiguration” of a firewall on a web application.
Capital One revealed the massive data breach in a news release on July 29, 2019. The bank says it does not appear that the hacker had used the stolen information for fraudulent purposes, but investigators will continue to look into it.
The company said it discovered July 19 that there was unauthorized access and fixed the configuration vulnerability, then immediately notified federal law enforcement.
The breach impacts about 100 million individuals in the United States and around 6 million in Canada. Capital One stressed that credit card account numbers and login credentials were not compromised, while more than 99 percent of Social Security numbers were not impacted.
“Although some of the information in those applications (such as Social Security numbers) has been tokenized or encrypted, other information including applicants’ names, addresses, dates of birth and information regarding their credit history has not been tokenized,” the FBI complaint said, and the bank told the bureau that the data includes “likely tens of millions of applications and approximately 77,000 bank account numbers.”
The hack is expected to cost the company between $100 million and $150 million in the near term.