Skip to Content
Computing

A hacker stole the personal data of 100 million Capital One customers

Capital One
Capital OneAP

The alleged hacker behind one of the biggest ever cyberattacks on a bank then boasted about what she’d done on Twitter and  Slack, according to the FBI.

The news: The personal data of 100 million Americans and six million Canadians Capital One customers was stolen, the financial services firm revealed in a statement last night. A suspect, Paige A. Thompson, was arrested on Monday by the FBI about two weeks after the company first identified the breach.

Thompson, who now faces up to five years in prison, allegedly breached Capital One’s data on a cloud service thanks to a misconfigured web application firewall. Capital One is a known Amazon Web Services customer, and she’s a former Amazon Web Services employee.

Online trail: Prosecutors claim that Thompson, whose online pseudonym is “erratic,” posted data to a GitHub account that linked directly to her real identity, including her name and full résumé. The investigation into the breach was kick-started after a GitHub user spotted the data and alerted Capital One earlier this month.

The criminal complaint against Thompson details how she allegedly used anonymizing tools like Tor and a virtual private network to post the stolen data to her personal GitHub, talk about the breach on a personal Slack account, and effectively admit to hacking the company in direct messages on Twitter. Prosecutors are using all of it as evidence.

“I’ve basically strapped myself with a bomb vest,” Thompson wrote in a Twitter direct message, according to the criminal complaint. “Dropping capital one’s dox and admitting it. I wanna distribute those buckets I think first.”

The aftermath: Information dating from 2005 to 2019 was stolen, including Social Security numbers, bank account numbers, credit scores, names, and addresses. No credit card account numbers or login credentials were compromised. It may end up costing the firm up to $150 million in legal support, customer notifications, and credit monitoring, Capital One said. News of the hack comes just a week after credit reporting agency Equifax agreed to pay at least $575 million to settle its 2017 data breach.

“We will notify affected individuals through a variety of channels,” Capital One said in a statement. “We will make free credit monitoring and identity protection available to everyone affected.”

Sign up here for our daily newsletter The Download to get your dose of the latest must-read news from the world of emerging tech.

Deep Dive

Computing

Everything dies, including information

Digitization can help stem the tide of entropy, but it won’t stop it.

What’s next in cybersecurity

“When it comes to really cutting off ransomware from the source, I think we took a step back.”

Moving money in a digital world

Security is the critical element to expanding digital-first payments.

Cyber resilience melds data security and protection

Organizations face pervasive and sophisticated cyberattacks, but modern data protection techniques can provide a multifaceted defense.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.