Capital One said Monday that data from more than 100 million US citizens and 6 million Canadian residents had been stolen by a.
If you applied for a credit card from the US bank between 2005 through 2019, your information is likely part of this breach, Capital One said in a statement. The data includes roughly 140,000 US Social Security numbers and about 80,000 bank account numbers, according to Capital One. The hacker also stole about 1 million Canadian social insurance numbers in the breach.
Capitol One added that “no credit card account numbers or log-in credentials were compromised” and that more than 99 percent of the Social Security numbers that Capital One has on file weren’t affected. The breach did, however, include names, addresses, ZIP codes, phone numbers, email addresses and birthdates — all valuable assets that hackers can use to steal from victims.
The FBI arrested a 33-year-old tech worker named Paige A. Thompson, who goes by the nickname “erratic,” according to the Justice Department. Prosecutors charged Thompson with computer fraud and abuse, alleging that she was behind the hack.
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Richard D. Fairbank, chairman and CEO of Capital One. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
This incident comes in the wake of news that. That breach of Equifax’s servers involved the Social Security numbers and home addresses of nearly 148 million Americans.
According to court documents in the Capitol One case, Thompson allegedly stole the information by finding a misconfigured firewall on Capital One’s Amazon Web Services cloud server. Investigators accused Thompson of accessing that server from March 12 to July 17. More than 700 folders of data were stored on that server, according to the Justice Department.
Thompson allegedly posted details about the hack on a GitHub page in April, and talked about the attack on Twitter and Slack discussions, according to the FBI.
Court documents showed that Capital One didn’t learn about the hack until July 17, when someone sent a message to the company’s responsible disclosure email address with a link to the GitHub page. The page had been up since April 21, with the IP address for a specific server containing the company’s sensitive data.
“Capital One quickly alerted law enforcement to the data theft — allowing the FBI to trace the intrusion,” US Attorney Brian T. Moran said in a statement.
The GitHub page had Thompson’s full name, as well as another page containing her resume. Court documents showed that on the resume, Thompson was listed as a systems engineer and was an employee at Amazon Web Services from 2015 to 2016. In a statement, Amazon said the former employee left the company three years before the hack took place.
Amazon said that AWS wasn’t compromised in anyway, pointing out that the alleged hacker gained access through a misconfiguration on the cloud server’s applicaton, not through a vulnerability in its infrastructure.
The FBI also found Twitter message logs where Thompson allegedly wrote, “I’ve basically strapped myself with a bomb vest, fucking dropping capitol ones dox and admitting it,” noting that she wanted to distribute the data she stole.
Capital One said it was “unlikely that the information was used for fraud or disseminated by this individual” but committed to investigating the hack fully. The company expects this hack will cost the company approximately $100 million to $150 million in 2019.
The FBI seized Thompson’s devices on Monday after obtaining a search warrant, and arrested her. If found guilty, Thompson faces up to five years in prison and a $250,000 fine.
Like Equifax, Capital One said that it would be providing free credit monitoring and identity protection to everyone involved.
Originally published July 29 at 4:59 p.m. PT.
Update, 6:03 p.m. PT: Adds statement and additional details from Capital One.
Update: 6:46 p.m. PT: Adds details from the criminal complaint.
Update 8:00 p.m. PT: Adds background information.