30 Jul 2019
Paige Thompson, a software engineer who formerly worked for Amazon Web Services, is accused of breaking into a Capital One server. Thompson obtained access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers. She also had access to over 100 million people’s names, addresses, credit scores and limits, balances, credit applications, and other information as far back as 2005.
The US Department of Justice complaint alleges that Thompson attempted to share the illegally obtained information online. She gained access via a misconfigured web application firewall. The hack occurred March 22 and 23rd. Thompson was then seen on multiple social media sites claiming she had the information. One person who saw the information on GitHub notified Capital One, who then notified the FBI. Thompson’s Seattle residence was searched on Monday which led to her arrest. The complaint includes Thompson’s admission of guilt, indicating that she “recognizes that she has acted illegally.”
The company indicated it fixed the vulnerability and said it is “unlikely that the information was used for fraud or disseminated by this individual.” But the investigation is ongoing. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right,” said Capital One CEO Richard Fairbank in a statement.
Capital One will notify people affected by the breach and incur hack-related costs of over $150 million.