A Seattle woman, formerly employed as a software engineer, has been charged with stealing more than 100 million Capital One credit review accounts.
Paige A. Thompson (33), was led away on July 29, 2019, and is currently being held in custody by the Federal Bureau of Investigation (FBI).
After being alerted by an anonymous tipster, Capital One staffers responded to the data breach on July 19 — wasting no time fixing “the configuration vulnerability that this individual exploited,” and immediately contacted federal law enforcement officials for help.
Court records indicate that Thompson hacked into the millions of Capital One credit card application records between March 12 and July 17.
In a news release called “Capital One Announces Data Security Incident” and dated July 29, 2019, the international credit card issuer “determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for its credit card products and to Capital One credit card customers.”
Capital One, a bank headquartered in McLean, Virginia, was quick to add that, despite continuing investigation, “we believe it is unlikely that the information was used for fraud or disseminated by this individual.”
Richard D. Fairbank, Chairman, and CEO of Capital One, said he was “deeply sorry for what has happened. I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
“Those affected,” as Fairbank put it, are 100 million U.S. residents and an estimated 6 million more in Canada.
Capital One maintains that “no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised.”
That 1% of credit card customers at the highest risk for identity theft and other expensive, potentially life-destroying criminal exploits by being compromised in this incident were, according to Capital One:
- About 140,000 Social Security numbers of their credit card customers
- About 80,000 linked bank account numbers of their secured credit card customers
- About 1 million Social Insurance Numbers of their Canadian credit card customers
Thompson hacked into a Capital One server on March 22 and 23 and made off with data on consumers and small businesses that applied for a Capital One credit card product between 2005 through early 2019. “This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income,” according to the company’s official statement.
The hacker also secured parts of credit card customer data, including:
- Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
- Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018
A criminal complaint says Thompson “recognizes that she has acted illegally” and tried to share the information with others online:
“Thompson posted the information on GitHub, using her full first, middle and last name. She also boasted on social media that she had Capital One information.”
Someone who saw Thompson’s GitHub messaging alerted Capital One to the “leaked data” involving its corporate customers. It was then that Capital One contacted the FBI which dispatched an agent to search Thompson’s residence on July 29 who found “devices in her possession that reference Capital One and Amazon as well as other entities that may have been targets of attempted – or actual – breaches.”
The U.S. Justice Department has charged that Thompson detailed how she broke into Capital One in messages she posted in a Slack business-oriented chat service channel. Allegedly, she wrote that she had a custom program to download files from a Capital One directory stored on Amazon servers:
“I wanna get it off my server that’s why I’m archiving all of it lol.”
Thompson’s online identity was thinly veiled. Her alleged Slack username “erratic” was the same as the one she used on a Twitter account as well as a Meetup group chatroom page.
Thompson also tweeted her desire to “distribute Social Security numbers along with full names and dates of birth,” according to the FBI special agent who investigated Thompson.
Capital One’s legal team has proposed the usual remedies for heinous data hacks their data network security systems were incapable of preventing:
“Free credit monitoring and identity protection available to everyone affected.”
Capital One is nothing if not contrite in the wake of their online security failure:
“We have invested heavily in cybersecurity and will continue to do so. We will incorporate the learnings from this incident to further strengthen our cyber defenses.”
Capital One has set up a consumer FAQ web page about the breach at www.capitalone.com/facts2019.
Historically, Thompson’s hack ranks in the top ten data breaches, including the infamous Equifax Hack of September 2017 which exposed the data of 143 million users who are at risk of identity and financial exploitation forever. The thieves, in this case, are still at large.
Capital One Financial Corporation’s stock (COF) dropped $10 after news of its massive customer data breach was revealed, from a high over $98 to a low of $89.29.
Will Capital One escape financial consequences to its ineffective customer data security? If Equifax is an example – and it is – then defrauded consumers should expect no remedial action. Capital One will provide 12 months of free “data protection services” – which include annoying inconveniences such as data freezes – and then walk away scot-free from the epic fail.
It is up to consumers to vote with their wallets. Just say no to banks that can’t guard their customers’ assets, including their most personal identifying information.