Suspect Arrested In Capital One Bank Breach Affecting 106m Customers

Personal information on about 106 million credit card applicants across the US and Canada were stolen in a cyber-attack, US financial services company Capital One has revealed.

US federal authorities arrested a suspect, Paige Thompson, after she allegedly boasted of the exploit on the GitHub code hosting site.

The hack affected 100 million people in the US and 6 million in Canada, with the attacker accessing information including credit scores and balances, as well as the Social Security numbers of about 140,000 individuals, according to the bank.

The breach is believed to be one of the largest in banking history.

Arrest

Capital One said it would offer free credit monitoring and identity protection services to those affected.

Paige Thompson was charged with a single count of computer fraud and abuse in the US District Court in Seattle.  She made an initial appearance in court and is to remain in custody pending a detention hearing on Thursday.

She faces a maximum sentence of five years in prison and a fine of $250,000 (£204,713).

The FBI raided Thompson’s residence on Monday and seized digital devices, with an initial search finding files that made references to Capital One and “other entities that may have been targets of attempted or actual network intrusions”.

Thompson, 33, is a former technology company software engineer, the US Justice Department said.

Virginia-based Capital One said it became aware of the attack on 19 July and reported it to  law enforcement.

GitHub boast

According to the FBI complaint, a GitHub user had earlier emailed the bank saying that Thompson had boasted of having stolen the bank’s data.

“On July 17 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered a data theft,” stated the US attorney’s office in Washington.

In mid-June, a Twitter user with the handle “erratic” sent Capital One direct messages threatening to distribute stolen data including names, birthdates and social security numbers, the FBI said.

Capital One said it is unlikely the data was used for fraud, but that it will continue to investigate.

“I sincerely apologise for the understandable worry this incident must be causing those affected and I am committed to making it right,” said Capital One chairman Richard Fairbank in a statement.

Firewall misconfigured

A security expert said the breach was had been the result of Capital One’s neglect of basic security practices.

“From reading their description of the breach, you would be forgiven for thinking it was an elite hacker exploiting a vulnerability,” said Immersive Labs chief executive James Hadley.

“In reality, as stated by the FBI, it was simply a poorly configured firewall that allowed the hacker in.”

Hadley said the breach showed that companies “have a lot to learn when it comes to deploying security technology effectively”.