Capital One Financial Corp. set up an email address for tipsters — including “white hat” hackers —to alert the company to potential vulnerabilities in its computer systems. On July 17, the company got a hit.
“Hello there,” the email said, according to federal prosecutors. “There appears to be some leaked s3 data of yours in someone’s github/gist.” A link was provided to an account at GitHub, a company that allows users to manage and store project revisions, mostly related to software development.
It didn’t take Capital One long to figure out who had accessed its files. The GitHub address included a name, Paige Thompson, a former Amazon.com Inc. employee who used the online nickname “erratic” and discussed her exploits with others, according to federal prosecutors.
“I’ve basically strapped myself with a bomb vest, (expletive) dropping capitol ones dox and admitting it,” Thompson allegedly wrote, under the “erratic“ alias, in a June 18 Twitter message. “There ssns…with full name and dob” — an apparent reference to Social Security numbers.
It also didn’t take Capital One much time to assess the damage. On Monday, it announced that about 100 million people in the U.S. had been impacted by the breach, and another 6 million in Canada. The illegally accessed data, which was stored on servers rented from Amazon Web Services, was primarily related to credit card applications and included personal information, like names, addresses and dates of birth, and some financial information, including self-reported income and credit scores.
Most Social Security numbers were protected, but about 140,000 were compromised, the bank said. Capital One said it was “unlikely that the information was used for fraud or disseminated by this individual.”
The company described the tipster to the hack as an “external security researcher.”
Thompson, 33, was charged with computer fraud and abuse. In a court hearing Monday, she broke down and laid her head on the defense table. On Tuesday, New York Attorney General Letitia James announced that her office is opening an investigation into the Capital One breach.
The scale of the breach ranks it as possibly one of the largest-ever impacting a U.S. bank, although the consequences may be limited if the data wasn’t distributed to others or used for fraud.
Capital One shares fell as much as 6.5% Tuesday morning, their biggest decline in six months.
The breach shows how hackers can steal vast troves of consumer data as the result of lapses made by the companies that collect it. In 2017, Equifax Inc. failed to patch a known flaw in its servers, resulting in the theft of 145 million Social Security numbers, along with the names and dates of birth of possibly a third of the U.S. population.
In the Capital One case, Thompson was allegedly able to steal vast buckets of personal data because of an improperly configured firewall — among the most basic digital security tools. The bank said it immediately fixed the problem once it was discovered.
In a complaint filed Monday in Seattle, prosecutors said that Thompson accessed the data at various times between March 12 and July 17. A file on her GitHub account, timestamped April 21, contained a list of more than 700 folders and buckets of data, according to prosecutors.