A former systems engineer has been arrested on charges that she hacked into Capital One’s network and stole sensitive data for about 106 million people, according to an FBI court filing and a statement from the Virginia-based bank.
Paige A. Thompson, 33, of Seattle was an employee of an unnamed cloud-computing company from 2015 to 2016, FBI Special Agent Joel Martini wrote in a criminal complaint filed on Monday. A GitHub account belonging to her showed that, earlier this year, someone exploited a firewall vulnerability in Capital One’s network that allowed an attacker to execute a series of commands on the bank’s servers.
Capital One has confirmed the intrusion and said it affected about 100 million individuals in the US and 6 million people in Canada. Personal information taken included names, incomes, dates of birth, addresses, phone numbers, and email addresses. Social security numbers for 140,000 people were also obtained, and about 80,000 bank account numbers were accessed. Social Insurance numbers for about 1 million Canadians were also obtained. No credit card numbers or login credentials were compromised. It’s unlikely the stolen data was used in fraud or was widely disseminated, bank officials said.
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” Richard D. Fairbank, Capital One founder, chairman and CEO, said in a statement. “I sincerely apologize for the understandable worry this incident must be causing those affected, and I am committed to making it right.”
One command executed in the firewall hack allowed the intruder to gain credentials for an administrator account known as *****WAF-Role. The command in turn enabled access to bank data stored under contract by the unnamed cloud computing company. Other commands allowed the attacker to enumerate folders stored on the service and to copy their contents. IP addresses and other evidence ultimately showed that Thompson was the person who exploited the vulnerability and posted the data to Github, Martini said.
Thompson allegedly used a VPN from IPredator and Tor in an attempt to cover her tracks. At the same time, Martini said that much of the evidence tying her to the intrusion came directly from things she posted to social media or put in direct messages. A June 26 Slack posting and another post the next day to an unnamed service, for instance, both referred to the WAF-Role account.
In response to a June 27 post, someone told her: “sketchy shit. don’t go to jail, plz.” Using the handle erratic she responded [sic throughout]:
wa wa wa wa, wa wa wa wa wa wa wawaaaaaaaaaaa. I’m like >ipredator > tor >s3 on all this shit .. i wanna get it off my server thats why Im archiving all of it. Its all encrypted. I just dont want it around though. I gotta find somewhere to store it. That infobloxcto one is interesting. They have > 500 docker containers.
Martini said that, on June 18, a Twitter user with the screen name Erratic sent direct messages to another user that read: “I’ve basically strapped myself with a bomb vest, fucking dropping capitol ones dox and admitting it. I wanna distribute those buckets i think first. There ssns… with full name and dob.”
The unnamed receiver of those messages sent them to Capital One officials. Capital One officials also received an email dated July 17 from someone reporting that sensitive data was posted to Thompson’s Github account. “Let me know if you want help tracking them down,” the person wrote. It wasn’t immediately clear if the reports came from the same person or two different people. Other evidence tying Thompson to the hack included IP addresses, Martini said. Capital One confirmed the intrusion on July 19.
Thompson was arrested on Monday and is being detained pending a bail hearing scheduled for Thursday. She’s charged with a single count of computer fraud and faces a maximum penalty of five years in prison and a $250,000 fine. At a court hearing later in the day, according to Bloomberg News, Thompson “broke down and laid her head down on the defense table.”