A woman who worked as a software engineer in Seattle hacked into a server holding customer information for Capital One and obtained the personal data of more than 100 million people, federal prosecutors said Monday, in one of the largest thefts of data from a bank.
The suspect, Paige Thompson, 33, left a trail online for investigators to follow as she boasted about the hacking, according to court documents in Seattle, where she was arrested and charged with one count of computer fraud and abuse.
Thompson, who formerly worked for Amazon Web Services, which hosted the Capital One database that was breached, was not shy about her work as a hacker. She is listed as the organiser of a group on Meetup, a social network, described as a gathering for “anybody with an appreciation for distributed systems, programming, hacking, cracking.” The FBI noticed her activity on Meetup and used it to trace her other online activities.
According to court papers and Capital One, Thompson stole 140,000 Social Security numbers and 80,000 bank account numbers in the breach.
In all, more than 100 million people in the United States and Canada were affected, the company said Monday.
The information came from credit card applications by consumers and small businesses made as early as 2005 and as recently as 2019, according to Capital One.
“Based on our analysis to date,” the bank said in a statement, “we believe it is unlikely that the information was used for fraud or disseminated by this individual.”
Amazon Web Services hosts the remote data servers that companies use to store their information, but large enterprises like Capital One build their own web applications on top of Amazon’s cloud data, to be able to use the information in ways specific to their needs.
The FBI agent who investigated the breach said in court papers that Thompson gained access to the sensitive data through a “misconfiguration” of a firewall on a web application that allowed the hacker to obtain customer files.
Amazon customers fully control the applications they build, it said, and Capitol One said in a news release that it “immediately fixed the configuration vulnerability” once it discovered the problem. Amazon said it found no evidence its underlying cloud services were compromised.