Capital One, the U.S-based bank, said that it experienced a data breach that exposed data of 106 million credit card applicants including names, phone numbers, addresses, and dates of birth.
In addition to that, 140,000 U.S. citizens' social security numbers, 80,000 bank account numbers, and 1 million Canadian social insurance numbers were also stolen.
While no credit card account numbers or login details were compromised, the hacker managed to get away with credit scores, credit limits, balances, and payment history.
The information came from what credit card applicants submitted as early as 2005 and as recently as 2019, according to Capital One, which is the' third-largest credit card issuer in the U.S., according to its website.
The Federal Bureau of Investigation (FBI) arrested the hacker, a Bellevue Community College drop out named Paige Thompson, in Seattle. According to a report, she was a former employee of the Amazon Web Services, which hosted the Capital One database that was breached.
According to the authorities, Thompson made some unauthorized access to Capital One’s data on March 22 and 23.
After stealing the data, she posted them on her GitHub account, which apparently had her full name and resume.
The court document suggests that an anonymous source was the one who first discovered this data, and informed the Capital One through its responsible disclosure program.
Thompson was not shy as a hacker. Using the alias 'erratic', she is listed as the organizer of a group on the social network Meetup, called Seattle Warez Kiddies, described as a gathering for "anybody with an appreciation for distributed systems, programming, hacking, cracking."
Once, 'Erratic' replied someone in the group about how to avoid detection, in part is by using a VPN service, which apparently has the IP address the authorities said was used in the incident.
After noticing her Meetup activities, the authorities traced her other online activities to eventually link her to a post describing the data theft on Twitter and Slack, further proving her crime.
She was then arrested and charged with one count of computer fraud and abuse.
"I’ve basically strapped myself with a bomb vest," wrote Thompson in a Slack post, according to prosecutors, "dropping Capital Ones dox and admitting it."
On Twitter, Thompson identified herself as a transgender woman, and the investigators managed to verify her after she posted a photograph of an invoice she had received from a veterinarian caring for one of her pets.
Amazon Web Services hosts the remote data servers that companies can use to store their information.
But for large clients like Capital One, it was allowed to build its own web applications on top of Amazon’s cloud data so the bank can use the information in ways specific to its needs.
According to the FBI agent who investigated the breach, Thompson gained unauthorized access to Capital One's server by taking advantage of a "misconfiguration" on the firewall. This allowed her to access the server and download customers' files.
Amazon said its customers are fully in control of the applications they built, and Capital One said in a news release that it had “immediately fixed the configuration vulnerability” once it discovered the problem. Amazon said it had found no evidence that its underlying cloud services were compromised.
However, on July 17th, someone messaged Capital One, saying that some of the bank's data appeared to have been leaked.
The FBI proceeds a search warrant to get into Thompson's house, where they seized "numerous digital devices", the prosecutors said. They also found "items that referenced Capital One" and Amazon.
“I am deeply sorry for what has happened,” the bank’s chief executive, Richard D. Fairbank, said in a statement. “I sincerely apologize for the understandable worry this incident must be causing those affected, and I am committed to making it right.”
Considered as one of the largest thefts of data from a bank, this hacking incident is said to have cost Capital One around $100 million to $150 million, including paying for credit monitoring for affected customers..