The FBI arrested a former software engineer from Seattle on charges of computer fraud and abuse after she accessed Capital One Financial Corp. data through a misconfigured web application firewall and stole Social Security numbers, names, birth dates, bank account numbers and other personal information on more than 100 million people.
Paige A. Thompson, 33, posted on GitHub about the hack, which occurred between March 12 and July 17. Another GitHub user contacted Capital One and after the financial company confirmed the intrusion and theft, it alerted the FBI on July 19.
“Capital One quickly alerted law enforcement to the data theft — allowing the FBI to trace the intrusion,” U.S. Attorney Brian T. Moran said in a release. “I commend our law enforcement partners who are doing all they can to determine the status of the data and secure it.”
The charging complaint against Thompson cites posts on GitHub in which, using the handle “erratic,” she discusses the breach, including the method used to access the data and her plans to distribute it.
“While details are still unfolding, I think I have more questions than answers at the present time. What system did the perpetrator have access to? How was access monitored? Did she have admin access? How was she able to exfiltrate so many records without triggering any alerts?” asked Terence Jackson, CISO at Thycotic. “This is yet another example of why castle and moat security isn’t effective anymore. The threats are already inside.”
Security pro Chris Morales, head of security analytics at Vectra, expects it will take a few days before details are known. “It’s still early, and I think this one is going to develop out a bit more. However, I wouldn’t put it at the same level as the Equifax breach,” he said. “What was exploited was a website vulnerability that gave access to credit card applications, including 140,000 social security numbers and 80,000 linked bank account numbers.”