In what's become an all-too-familiar story, Capital One and law enforcement have revealed that personal information of 100 million U.S. customers and 6 million Canadian customers have been compromised. But this time, the miscreants are not nameless, unknown hackers working from a foreign country. The thief is 33-year-old Paige Thompson, a former Amazon Web Services software engineer, and she was arrested in Seattle, where she has been charged and remains in federal custody. She will appear at a hearing on Thursday.
Capital One stores much of its data on Amazon Web Services, or AWS, its cloud service. According to the F.B.I., Thompson gained access to Capital One's data because of a "misconfiguration" in its firewall, a vulnerability the company now says it has fixed. The bank says that Thompson obtained 140,000 Social Security numbers from U.S. citizens, and about 1 million Social Insurance numbers from Canadian citizens, as well as bank account information for 80,000 U.S. credit card customers using secured credit cards.
Once she'd stolen the data, Thompson, who went by the name "erratic" within the hacker community, almost seemed to want to be caught. She left a paper trail for the F.B.I. to follow, including a picture of a veterinary invoice that investigators used to positively identify her. She boasted so openly about her exploit that other hackers warned her to be careful not to go to jail.
She seemed aware of the danger as well. "I've basically strapped myself with a bomb vest, dropping capital ones dox and admitting it," she wrote in a Slack message, prosecutors say. Capital One says in its statement, "we believe it is unlikely that the information was used for fraud or disseminated by this individual." But that seems at odds with Thompson's own statements. According to prosecutors, she said online that she wanted to distribute the data. They also say in their court papers that she mentioned several other companies, educational institutions and governments, suggesting that she has hacked into other organizations besides Capital One.
If you're a Capital One customer, what action should you take? USA Today recommends freezing your credit with the three biggest credit bureaus, Equifax, Experian, and TransUnion, and it provides links for doing so. This is certainly a good idea as it will prevent identity thieves from opening credit card accounts in your name and you can unfreeze any time you need credit yourself. It's also a good idea to change the password for your online account or accounts.
Capital One has told investors it expects the breach to cost $100 to $150 million this year. Of course it will likely cost more in future years--Equifax just spent $650 million settling claims for its 2017 data breach, the Times notes.