Capital One Data Breach – FBI Arrests Former Software Engineer

Date30 Jul 2019

Comment0

CategoriesConsumer Protection, Employment & Technology Archive

Former Seattle Technology Company Software Engineer Arrested For Theft of Capital One Financial Corporation Data

On July 29, 2019, USA TODAY reported the following:

Capital One said . . . that personal information, including the Social Security and bank account numbers of more than 100 million individuals, were compromised in a massive data theft that led to the arrest of a Seattle woman.

Paige A. Thompson, 33, a former software engineer, is accused of stealing data from Capital One credit card applications in what is one of the top 10 largest data breaches ever, according to USA TODAY research.

The FBI arrested Thompson on Monday for the theft, which occurred between March 12 and July 17, court records show. Among the data allegedly collected from a company cloud-based server were Social Security and bank account numbers. [Emphasis added.]

According to Capital One:

Based on [Capital One’s] analysis to date, this event affected approximately 100 million individuals in the United States and approximately 6 million in Canada.

Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised.

The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Beyond the credit card application data, the individual also obtained portions of credit card customer data, including:

Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information[;]

Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018[.]

No bank account numbers or Social Security numbers were compromised, other than:

About 140,000 Social Security numbers of our credit card customers[;]

About 80,000 linked bank account numbers of our secured credit card customers[.]

For [Capital One’s] Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident. [Emphasis added.]

The U.S. Department of Justice press release regarding Thompson’s arrest stated:

A former Seattle technology company software engineer was arrested today on a criminal complaint charging computer fraud and abuse for an intrusion on the stored data of Capital One Financial Corporation, announced U.S. Attorney Brian T. Moran. PAIGE A. THOMPSON a/k/a erratic, 33, made her initial appearance in U.S. District Court in Seattle today and was ordered detained pending a hearing on August 1, 2019.

According to the criminal complaint, THOMPSON posted on the information sharing site GitHub about her theft of information from the servers storing Capital One data. The intrusion occurred through a misconfigured web application firewall that enabled access to the data. On July 17, 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered a data theft. After determining on July 19, 2019, that there had been an intrusion into its data, Capital One contacted the FBI. Cyber investigators were able to identify THOMPSON as the person who was posting about the data theft. This morning agents executed a search warrant at THOMPSON’s residence and seized electronic storage devices containing a copy of the data. [Emphasis added.]