In one of the biggest data breaches ever, a hacker gained access to more than 100 million Capital One customers’ accounts and credit card applications earlier this year.
The compromised data includes about 140,000 US Social Security numbers and about 80,000 bank account numbers, Capital One said in a press release. The hacker also stole about 1 million Canadian social insurance numbers in the breach.
The company emphasized that “no credit card account numbers or log-in credentials were compromised,” adding that more than 99 percent of the Social Security numbers that Capital One has on file were not affected. The breach did, however, include names, addresses, ZIP codes, phone numbers, email addresses, and birthdates.
According to a notice from the US Department of Justice, the FBI arrested a 33-year-old tech worker named Paige A. Thompson in connection with the breach. She was charged with one count of computer fraud and abuse, according to the FBI and court records.
Thompson, who went by the hacker name “erratic” in many online accounts and forums, allegedly exploited a misconfigured firewall to access a Capital One cloud repository and exfiltrate data sometime in March.
On April 21, the FBI says, Thompson posted the data to her GitHub account, which included her full name and resume. It is unclear whether anyone downloaded the data after she allegedly posted it.
Court documents showed that Capital One didn’t learn about the hack until July 17, when someone sent a message to the company’s responsible disclosure email address with a link to the GitHub page.
“Capital One quickly alerted law enforcement to the data theft – allowing the FBI to trace the intrusion,” US attorney Brian Moran said in a statement.