On Monday, the FBI and the bank Capital One disclosed a data breach of 106 million credit card applications that compromised information like names, addresses, phone numbers, and dates of birth, along with 140,000 Social Security numbers, 80,000 bank account numbers, and some credit scores and transaction data. It’s one of the biggest breaches of a major financial institution ever. Four months after the incident occurred, within just 10 days of Capital One discovering it, the FBI has already made an arrest in connection with the crime.
Seattle resident Paige A. Thompson, 33, was charged Monday with one count of computer fraud and abuse, according to the FBI and court records. Thompson, the criminal complaint alleges, went by the hacker name “erratic” in many online accounts and forums. She allegedly exploited a misconfigured firewall to access a Capital One cloud repository and exfiltrate data sometime in March. On April 21, the FBI says, Thompson posted the data to her GitHub account, which included her full name and resume. It is unclear whether anyone downloaded the data after she allegedly posted it, but they very well may have given that Thompson allegedly talked openly about stealing the data, even on Slack.
At least one person appears to have stumbled across the trove. On July 17, court documents say, an unidentified tipster informed Capital One of its existence by emailing the bank’s responsible disclosure address with a brief warning about the data, and a link to it on GitHub.
“Capital One quickly alerted law enforcement to the data theft—allowing the FBI to trace the intrusion,” US attorney Brian Moran said in a statement. “I commend our law enforcement partners who are doing all they can to determine the status of the data and secure it.”
Lily Hay Newman covers information security, digital privacy, and hacking for WIRED.
Capital One said in a statement on Monday that the stolen data related to credit card applicants and current credit card customers. The breach also affects six million Canadians, including one million Canadian Social Insurance numbers, in addition to the more than 100 million US consumers impacted.
“Capital One immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement,” the bank said. “The FBI has arrested the person responsible and that person is in custody. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate.”
Capital One discovered the breach on July 19. The FBI connected the incident to Thompson quickly, the criminal complaint says, because it was so easy to link the Github page where she posted the stolen data to her handle and real identity. From there, investigators searched Thompson’s communications and worked backward to see if Capital One’s system logs matched the timeline of Thompson’s alleged online activity.
Thompson allegedly used the anonymity network Tor and the VPN IPredator while breaching Capital One, exfiltrating data, and posting it to GitHub in April, and seemed confident that they would protect her identity. But these tools are far from foolproof ways of covering your tracks, especially when you’re also posting about your actions on accounts linked to your real identity.
One screenshot of a Slack conversation from the criminal complaint shows an unnamed individual saying “sketchy shit, don’t go to jail plz,” after Thompson allegedly posted a link to the stolen data. A user named “erratic” replied, “I wanna get it off my server thats why Im archiving all of it lol. its all encrypted. I just don’t want it around though.”
Another screenshot shows some of Thompson’s alleged messages sent over Twitter direct messages. “Ive basically strapped myself with a bomb vest, fucking dropping capitol ones dox and admitting it. I wanna distribute those buckets i think first. There ssns…with full name and dob.”
The criminal complaint says that the resume on Thompson’s alleged GitHub account reported that she was a systems engineer from 2015 to 2016 at the same cloud computing company she breached in the intrusion. The Wall Street Journal reported on Monday that the company is Amazon Web Services. AWS did not immediately return WIRED’s request for comment.
As in the physical world, it’s fairly difficult to disconnect your online actions from your real identity. This presents a hurdle for people like activists, political dissidents, and whistleblowers, but is also a challenge that criminal hackers attempt to overcome with varying degrees of sophistication and success. Tools like VPNs and Tor can lend a false sense of protection to those that don’t really know how to fully conceal their actions, though.
“Under optimal conditions, in principle tools like Tor can isolate your footprints,” says Kenn White, director of the Open Crypto Audit Project. “The problem is nothing is really useful in isolation. People use social media, they use familiar, known handles. It is very hard to compartmentalize your life online, and it only takes one mistake to be caught, particularly for crimes of this magnitude.”
Still, online criminals, fraudsters, and other malicious hackers are caught relatively rarely, and successful investigations usually take many months or years. This in itself raises some questions about how easily and quickly law enforcement traced the alleged hacker in the Capital One breach. In the case of the massive 2017 Equifax hack, for example, investigators still have not publicly named a culprit or motive.
Capital One estimates that responding to the incident will cost $100 million to $150 million in the short term. But, as usual, consumers are the true victims. Monitor your financial accounts and credit reports for any unusual activity and make sure your digital accounts all have strong passwords and two factor authentication enabled to avoid or quickly catch attempts to invade your digital life. Though in the case of the Capital One incident, it’s possible that the data is not actually in public circulation, even though it was posted for nearly three months.
“The multi-million dollar question is who has the dump,” White says, “whether anyone grabbed it before the arrest.”