The alleged hacker behind one of the biggest ever cyberattacks on a bank then boasted about what she’d done on Twitter and Slack, according to the FBI.
The news: The personal data of 100 million Americans and six million Canadians Capital One customers was stolen, the financial services firm revealed in a statement last night. A suspect, Paige A. Thompson, was arrested on Monday by the FBI about two weeks after the company first identified the breach.
Thompson, who now faces up to five years in prison, allegedly breached Capital One’s data on a cloud service thanks to a misconfigured web application firewall. Capital One is a known Amazon Web Services customer, and she’s a former Amazon Web Services employee.
Online trail: Prosecutors claim that Thompson, whose online pseudonym is “erratic,” posted data to a GitHub account that linked directly to her real identity, including her name and full résumé. The investigation into the breach was kick-started after a GitHub user spotted the data and alerted Capital One earlier this month.
The criminal complaint against Thompson details how she allegedly used anonymizing tools like Tor and a virtual private network to post the stolen data to her personal GitHub, talk about the breach on a personal Slack account, and effectively admit to hacking the company in direct messages on Twitter. Prosecutors are using all of it as evidence.
“I’ve basically strapped myself with a bomb vest,” Thompson wrote in a Twitter direct message, according to the criminal complaint. “Dropping capital one’s dox and admitting it. I wanna distribute those buckets I think first.”
The aftermath: Information dating from 2005 to 2019 was stolen, including Social Security numbers, bank account numbers, credit scores, names, and addresses. No credit card account numbers or login credentials were compromised. It may end up costing the firm up to $150 million in legal support, customer notifications, and credit monitoring, Capital One said. News of the hack comes just a week after credit reporting agency Equifax agreed to pay at least $575 million to settle its 2017 data breach.
“We will notify affected individuals through a variety of channels,” Capital One said in a statement. “We will make free credit monitoring and identity protection available to everyone affected.”