Skip to Content
Computing

A hacker stole the personal data of 100 million Capital One customers

Capital One
Capital OneAP

The alleged hacker behind one of the biggest ever cyberattacks on a bank then boasted about what she’d done on Twitter and  Slack, according to the FBI.

The news: The personal data of 100 million Americans and six million Canadians Capital One customers was stolen, the financial services firm revealed in a statement last night. A suspect, Paige A. Thompson, was arrested on Monday by the FBI about two weeks after the company first identified the breach.

Thompson, who now faces up to five years in prison, allegedly breached Capital One’s data on a cloud service thanks to a misconfigured web application firewall. Capital One is a known Amazon Web Services customer, and she’s a former Amazon Web Services employee.

Online trail: Prosecutors claim that Thompson, whose online pseudonym is “erratic,” posted data to a GitHub account that linked directly to her real identity, including her name and full résumé. The investigation into the breach was kick-started after a GitHub user spotted the data and alerted Capital One earlier this month.

The criminal complaint against Thompson details how she allegedly used anonymizing tools like Tor and a virtual private network to post the stolen data to her personal GitHub, talk about the breach on a personal Slack account, and effectively admit to hacking the company in direct messages on Twitter. Prosecutors are using all of it as evidence.

“I’ve basically strapped myself with a bomb vest,” Thompson wrote in a Twitter direct message, according to the criminal complaint. “Dropping capital one’s dox and admitting it. I wanna distribute those buckets I think first.”

The aftermath: Information dating from 2005 to 2019 was stolen, including Social Security numbers, bank account numbers, credit scores, names, and addresses. No credit card account numbers or login credentials were compromised. It may end up costing the firm up to $150 million in legal support, customer notifications, and credit monitoring, Capital One said. News of the hack comes just a week after credit reporting agency Equifax agreed to pay at least $575 million to settle its 2017 data breach.

“We will notify affected individuals through a variety of channels,” Capital One said in a statement. “We will make free credit monitoring and identity protection available to everyone affected.”

Sign up here for our daily newsletter The Download to get your dose of the latest must-read news from the world of emerging tech.

Deep Dive

Computing

Learning to code isn’t enough

Historically, learn-to-code efforts have provided opportunities for the few, but new efforts are aiming to be inclusive.

IBM wants to build a 100,000-qubit quantum computer

The company wants to make large-scale quantum computers a reality within just 10 years.

Multi-die systems define the future of semiconductors

Multi-die system or chiplet-based technology is a big bet on high-performance chip design—and a complex challenge.

The inside story of New York City’s 34-year-old social network, ECHO

Stacy Horn set out to create something new and very New York. She didn’t expect it to last so long.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.