FBI arrests woman accused of Capital One records hack
WASHINGTON — The FBI has arrested a woman from the Seattle area on charges of stealing tens of millions of sensitive customer records from Capital One, the Virginia-based bank with a popular credit card business, including some bank account numbers, according to court papers.
The suspect, Paige Thompson, was arrested early Monday on a charge of computer fraud and abuse, court records say.
Thompson, who authorities said used the name “erratic” in online conversations, is suspected of “exfiltrating and stealing information, including credit card applications and other documents, from Capital One,” according to a criminal complaint filed in federal court. She was ordered to remain in jail pending a detention hearing scheduled for Thursday, according to court records.
The Capital One hack disclosed Monday appears to be one of the largest data breaches ever to hit a financial services firm. In 2017, the credit-reporting company Equifax disclosed hackers had stolen the personal information of 147 million people. Last week, it reached a $700 million settlement with U.S. regulators over that hack.
It is unusual in a major hacking case for a suspect to be apprehended so quickly, and in this case, that was apparently because of boasts made online.
Thompson “made statements on social media for evidencing the fact that she has information of Capital One, and that she recognizes that she has acted illegally,” according to the criminal complaint signed by FBI special agent Joel Martini.
In one online posting, “erratic” wrote: “I’ve basically strapped myself with a bomb vest, (expletive) dropping capitol ones dox and admitting it,” according to the complaint.
“Although some of the information in those applications (such as Social Security numbers) has been tokenized or encrypted, other information including applicants’ names, addresses, dates of birth and information regarding their credit history has not been tokenized,” the FBI complaint said, and the bank told the bureau the data includes “likely tens of millions of applications and approximately 77,000 bank account numbers.”
Capital One, which is headquartered in the Washington suburb of McLean, Virginia, was alerted to a problem July 17, after a person in an online-discussion group had claimed to have taken large amounts of the company’s data, according to the complaint.
The bank investigated and quickly confirmed there was a vulnerability, the court papers said.
Home addresses, dates of birth and other personal details were compromised, but for the majority of bank customers, their Social Security numbers were protected, according to the complaint.
Thompson had previously worked at an unidentified cloud computing company that provided data services to Capital One, according to court papers.
Authorities said in conversations using the messaging service Slack, Paige posted a list of files she claimed to possess, leading another person in the group discussion to reply: “sketchy” and “don’t go to jail plz.”
The “erratic” user replied “I wanna get it off my server that’s why Im archiving all of it lol … its all encrypted,” according to court files.
Based on other postings allegedly made by Thompson last month, the FBI came to suspect she “intended to disseminate data stolen from victim entities, starting with Capital One,” court documents say.