More than 100 million credit card applicants at risk in Capital One breach, Seattle woman arrested

About 140,000 Social Security numbers and 80,000 bank account numbers were potentially put at risk, according to a statement from the bank.

Breaking News Emails

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.
SUBSCRIBE
By Doha Madani and Andrew Blankstein

A former software engineer from Seattle has been arrested in connection with a massive data breach that potentially puts more than 100 million Capital One credit card applicants at risk.

Paige A. Thompson, 33, allegedly accessed information from Capital One bank through a misconfigured security feature and then posted the data to an information-sharing site, according to a criminal complaint released Monday.

Capital One said in a statement to NBC News on Monday that the breach affects approximately 100 million individuals in the United States and approximately 6 million in Canada.

The bank insists, however, that no credit card account numbers or login credentials were compromised and fewer than one percent of Social Security numbers were compromised.

An unidentified person contacted Capital One on July 17 to report that leaked data belonging to the company appeared to be posted on GitHub, a hosting site often used by software engineers to develop and collaborate on projects.

Capital One staff investigated the posting, which was dated April 21, and saw instructions on how to access the company's private information through computer code. Internal company logs indicated that the "buckets" of information that the code led to were indeed accessed.

Get breaking news and insider analysis on the rapidly changing world of media and technology right to your inbox.

Some of the more sensitive data, including social security information, was encrypted, but information from tens of millions of credit card applications has been put at risk.

About 140,000 Social Security numbers and 80,000 bank accounts were potentially put at risk, according to a statement from the bank Monday.

Information about applicant names, addresses, birth dates and credit history are also at risk.

An FBI cyberinvestigator matched the Github account name with a former systems engineer for Cloud Computing Company named Paige Thompson, according to the complaint. Further investigation of Thompson showed she allegedly created a messaging channel and claimed in a post to have data obtained using the same code in the April 21 Github post.

The FBI also believes Thompson is behind a Twitter account that sent a private message to Capital One on June 18 claiming to have social security numbers.

"Ive basically strapped myself with a bomb vest, f---ing dropping capitol ones dox and admitting it," the message read. "I wanna distribute those buckets i think first."

The term "dox" refers to publishing private identifying information about a person on the internet, typically without their consent.

A search of Thompson's home Monday resulted in the seizure of "numerous digital devices" that appear to have data from Capital One, Cloud Computing Company and other institutions that may have been targeted.

Thompson was arrested on a computer fraud and abuse charge, which is punishable by up to five years in prison and a $250,000 fine.

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” Capital One Chairman and CEO Richard D. Fairbank said. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

Capital One said Monday that it will incorporate lessons from the breach to further strengthen its cybersecurity.

"We will notify affected individuals through a variety of channels," the company said in a statement. "We will make free credit monitoring and identity protection available to everyone affected."

News about Capital One's breach comes one week after credit reporting company Equifax settled federal and state probes for a record $650 million for a 2017 data breach of personal information. Equifax will also pay a $175 million fine to the states and $50 million to the Consumer Financial Protection Bureau.