Capital One Financial Corp. set up an email address for tipsters — including “white hat” hackers — to alert the company to potential vulnerabilities in its computer systems. On July 17, the company got a hit.
“Hello there,” the email said, according to federal prosecutors. “There appears to be some leaked s3 data of yours in someone’s github/gist.”
A link was provided to an account at GitHub, a company that allows users to manage and store project revisions, mostly related to software development.
Capital One soon figured out who had accessed its files. The GitHub address included a name, Paige Thompson, a former Amazon.com employee who used the online nickname “erratic” and discussed her exploits with others, according to federal prosecutors.
“I’ve basically strapped myself with a bomb vest, (expletive) dropping capitol ones dox and admitting it,” Thompson allegedly wrote, under the “erratic” alias, in a June 18 Twitter message. “There ssns ... with full name and dob” — an apparent reference to Social Security numbers.
It also didn’t take Capital One much time to assess the damage. On Monday, it announced that about 100 million people in the United States and 6 million in Canada had been affected.
The illegally accessed data, stored on servers rented from Amazon Web Services, primarily was related to credit card applications and included personal information such as names, addresses and dates of birth, and some financial information, including self-reported income and credit scores.
ARTICLE CONTINUES BELOW ADVERTISEMENT
Most Social Security numbers were protected but about 140,000 were compromised, the bank said. Capital One said it was “unlikely that the information was used for fraud or disseminated by this individual.”
The company described the tipster to the hack as an “external security researcher.”
Thompson, 33, was charged with computer fraud and abuse. In a court hearing Monday, she broke down and laid her head on the defense table.
The scale of the breach ranks it as possibly one of the largest ever affecting a U.S. bank, although the consequences may be limited if the data wasn’t distributed to others or used for fraud.
However, the breach shows how hackers can steal vast troves of consumer data as the result of lapses made by the companies that collect it. In 2017, Equifax failed to patch a known flaw in its servers, resulting in the theft of 145 million Social Security numbers, along with the names and dates of birth of possibly a third of the U.S. population.
In the Capital One case, Thompson allegedly was able to steal vast buckets of personal data because of an improperly configured firewall — among the most basic digital security tools. The bank said it immediately fixed the problem once it was discovered.
In a complaint filed Monday in Seattle, prosecutors said that Thompson accessed the data at various times between March 12 and July 17. A file on her GitHub account, timestamped April 21, contained a list of more than 700 folders and buckets of data, according to prosecutors.