Woman charged in bank-server hacking
Data on 100 million people obtained in Capital One breach, prosecutors say
A woman who worked as a software engineer in Seattle hacked into a server holding customer information for Capital One and obtained the personal data of more than 100 million people, federal prosecutors said Monday, in one of the largest thefts of data from a bank.
The suspect, Paige Thompson, 33, left a trail online for investigators to follow as she boasted about the hacking, according to court documents in Seattle, where she was arrested and charged with one count of computer fraud and abuse.
Thompson, who formerly worked for Amazon Web Services, which hosted the Capital One database that was breached, was listed as the organizer of a group on Meetup, a social network, called Seattle Warez Kiddies, described as a gathering for “anybody with an appreciation for distributed systems, programming, hacking, cracking.” The FBI said it noticed her activity on Meetup and used it to trace her other online activities, eventually linking her to posts describing the data theft on Twitter and the Slack messaging service.
“I’ve basically strapped myself with a bomb vest,” Thompson wrote in a Slack post, according to prosecutors, “dropping capital ones dox and admitting it.”
According to court papers and Capital One, Thompson stole 140,000 Social Security numbers and 80,000 bank account numbers in the breach.
In all, more than 100 million people in the United States and Canada were affected, the company said Monday. The breach also compromised 1 million Canadian social insurance numbers — the equivalent of Social Security numbers for Americans.
The information came from credit card applications by consumers and small businesses made as early as 2005 and as recently as 2019, according to Capital One.
“Based on our analysis to date,” the bank said in a statement, “we believe it is unlikely that the information was used for fraud or disseminated by this individual.”
The FBI agent who investigated the breach said in court papers that Thompson gained access to the sensitive data through a “misconfiguration” of a firewall on a Web application that would allow a hacker to communicate with the server where Capital One was storing its information and, eventually, obtain customer files.
On Monday, FBI agents executed a search warrant on Thompson’s house. They seized “numerous digital devices,” prosecutors said, and found on them “items that referenced Capital One” and Amazon, which they referred to in the complaint only as the “cloud computing company.”
Capital One said the bank account numbers were linked to customers with “secured” credit cards. Secured cards require customers to put forth a sum of money — $200 or $250 — in exchange for a card.