On Monday, the FBI and the bank Capital One disclosed a data breach of 106 million credit card applications that compromised information like names, addresses, phone numbers, and dates of birth, along with 140,000 Social Security numbers, 80,000 bank account numbers, and some credit scores and transaction data. It's one of the biggest breaches of a major financial institution ever. Four months after the incident occurred, within just 10 days of Capital One discovering it, the FBI has already made an arrest in connection with the crime.
Seattle resident Paige A. Thompson, 33, was charged Monday with one count of computer fraud and abuse, according to the FBI and court records. Thompson, the criminal complaint alleges, went by the hacker name "erratic" in many online accounts and forums. She allegedly exploited a misconfigured firewall to access a Capital One cloud repository and exfiltrate data sometime in March. On April 21, the FBI says, Thompson posted the data to her GitHub account, which included her full name and résumé. It is unclear whether anyone downloaded the data after she allegedly posted it, but they very well may have given that Thompson allegedly talked openly about stealing the data, even on Slack.
At least one person appears to have stumbled across the trove. On July 17, court documents say, an unidentified tipster informed Capital One of its existence by emailing the bank's responsible disclosure address with a brief warning about the data and a link to it on GitHub.
"Capital One quickly alerted law enforcement to the data theft—allowing the FBI to trace the intrusion," US attorney Brian Moran said in a statement. "I commend our law enforcement partners who are doing all they can to determine the status of the data and secure it."
Capital One said in a statement on Monday that the stolen data related to credit card applicants and current credit card customers. The breach also affects 6 million Canadians, including one million Canadian Social Insurance numbers, in addition to the more than 100 million US consumers impacted.
"Capital One immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement," the bank said. "The FBI has arrested the person responsible, and that person is in custody. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate."
Capital One discovered the breach on July 19. The FBI connected the incident to Thompson quickly, the criminal complaint says, because it was so easy to link the Github page where she posted information about the stolen data to her handle and real identity. From there, investigators searched Thompson's communications and worked backward to see if Capital One's system logs matched the timeline of Thompson's alleged online activity.
Thompson allegedly used the anonymity network Tor and the VPN IPredator while breaching Capital One, exfiltrating data, and posting about it on GitHub in April, and she seemed confident that they would protect her identity. But these tools are far from foolproof ways of covering your tracks, especially when you're also posting about your actions on accounts linked to your real identity.
One screenshot of a Slack conversation from the criminal complaint shows an unnamed individual saying "sketchy shit, don't go to jail plz," after Thompson allegedly posted a link to information about the stolen data. A user named "erratic" replied, "I wanna get it off my server thats why Im archiving all of it lol. its all encrypted. I just don't want it around though."
Another screenshot shows some of Thompson's alleged messages sent over Twitter direct messages. "Ive basically strapped myself with a bomb vest, fucking dropping capitol ones dox and admitting it. I wanna distribute those buckets i think first. There ssns … with full name and dob."
The criminal complaint says that the résumé on Thompson's alleged GitHub account reported that she was a systems engineer from 2015 to 2016 at Amazon Web Services, which hosted the account she allegedly breached. CapitalOne says the misconfiguration lay in its own infrastructure, rather than AWS'. Amazon confirmed to WIRED that Thompson is a former employee.
As in the physical world, it's fairly difficult to disconnect your online actions from your real identity. This presents a hurdle for people like activists, political dissidents, and whistle-blowers, but it is also a challenge that criminal hackers attempt to overcome with varying degrees of sophistication and success. Tools like VPNs and Tor can lend a false sense of protection to those who don't really know how to fully conceal their actions, though.
"Under optimal conditions, in principle, tools like Tor can isolate your footprints," says Kenn White, director of the Open Crypto Audit Project. "The problem is, nothing is really useful in isolation. People use social media, they use familiar, known handles. It is very hard to compartmentalize your life online, and it only takes one mistake to be caught, particularly for crimes of this magnitude."
Still, online criminals, fraudsters, and other malicious hackers are caught relatively rarely, and successful investigations usually take many months or years. This in itself raises some questions about how easily and quickly law enforcement traced the alleged hacker in the Capital One breach. In the case of the massive 2017 Equifax hack, for example, investigators still have not publicly named a culprit or motive.
Capital One estimates that responding to the incident will cost $100 million to $150 million in the short term. But, as usual, consumers are the true victims. Monitor your financial accounts and credit reports for any unusual activity and make sure your digital accounts all have strong passwords and two-factor authentication enabled to avoid or quickly catch attempts to invade your digital life. Though in the case of the Capital One incident, it's possible that the data is not actually in public circulation, even though information about it was posted for nearly three months.
"The multimillion-dollar question is who has the dump," White says, "whether anyone grabbed it before the arrest."
Updated July 30, 2019, 9:00 am ET to include comment from Amazon.
Correction August 29, 2019 3:00pm ET: This article has been corrected to clarify that stolen data was not directly posted on Github. Instead, the posted data contained a file directory related to the stolen information, but not the data itself.
- High drama: A cannabis biotech firm roils small growers
- Lunar mysteries that science still needs to solve
- Are super-automatic espresso machines worth it?
- The best algorithms don't recognize black faces equally
- These hackers made an app that kills to prove a point
- 🏃🏽♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones.
- 📩 Get even more of our inside scoops with our weekly Backchannel newsletter
