Skip to Content
Computing

A hacker stole the personal data of 100 million Capital One customers

Capital One
Capital OneAP

The alleged hacker behind one of the biggest ever cyberattacks on a bank then boasted about what she’d done on Twitter and  Slack, according to the FBI.

The news: The personal data of 100 million Americans and six million Canadians Capital One customers was stolen, the financial services firm revealed in a statement last night. A suspect, Paige A. Thompson, was arrested on Monday by the FBI about two weeks after the company first identified the breach.

Thompson, who now faces up to five years in prison, allegedly breached Capital One’s data on a cloud service thanks to a misconfigured web application firewall. Capital One is a known Amazon Web Services customer, and she’s a former Amazon Web Services employee.

Online trail: Prosecutors claim that Thompson, whose online pseudonym is “erratic,” posted data to a GitHub account that linked directly to her real identity, including her name and full résumé. The investigation into the breach was kick-started after a GitHub user spotted the data and alerted Capital One earlier this month.

The criminal complaint against Thompson details how she allegedly used anonymizing tools like Tor and a virtual private network to post the stolen data to her personal GitHub, talk about the breach on a personal Slack account, and effectively admit to hacking the company in direct messages on Twitter. Prosecutors are using all of it as evidence.

“I’ve basically strapped myself with a bomb vest,” Thompson wrote in a Twitter direct message, according to the criminal complaint. “Dropping capital one’s dox and admitting it. I wanna distribute those buckets I think first.”

The aftermath: Information dating from 2005 to 2019 was stolen, including Social Security numbers, bank account numbers, credit scores, names, and addresses. No credit card account numbers or login credentials were compromised. It may end up costing the firm up to $150 million in legal support, customer notifications, and credit monitoring, Capital One said. News of the hack comes just a week after credit reporting agency Equifax agreed to pay at least $575 million to settle its 2017 data breach.

“We will notify affected individuals through a variety of channels,” Capital One said in a statement. “We will make free credit monitoring and identity protection available to everyone affected.”

Sign up here for our daily newsletter The Download to get your dose of the latest must-read news from the world of emerging tech.

Deep Dive

Computing

Start with data to build a better supply chain

Successful digital transformation starts with the right team, an agile mentality, and a strong data foundation, says global digital solutions manager of procurement and supply chain at bp, Raimundo Martinez.

Chiplets: 10 Breakthrough Technologies 2024

Chipmakers are betting that smaller, more specialized chips can extend the life of Moore’s Law.

Quantum computing is taking on its biggest challenge: noise

For a while researchers thought they’d have to make do with noisy, error-prone systems, at least in the near term. That’s starting to change.

Apple Vision Pro: 10 Breakthrough Technologies 2024

Micro-OLED technology has been in development for more than a decade, but the Vision Pro will be the highest-profile demonstration of its abilities to date.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.