Capital One said Monday that sensitive financial information—including social security and bank account numbers—from over 100 million people were exposed in a massive data breach that led to the arrest of former Amazon employee Paige Thompson, a hacker who lives in Seattle.
- The information was taken from credit card applications submitted to the Virginia-based bank from 2005 to 2019. These included names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income.
- Additionally, Capital One said that 140,000 Social Security and 80,000 linked bank account numbers were compromised as well as fragments of transaction data from a total of 23 days during 2016, 2017 and 2018.
- No credit card account numbers or log-in credentials were exposed.
- Individuals whose information was compromised in the breach will be notified by Capital One.
Federal agents have arrested a Seattle woman named Paige Thompson for hacking into cloud computing servers rented by Capital One, according to court documents. Investigators say Thompson previously worked at the cloud computing company whose servers were breached but did not name the company.
Amazon did not immediately respond to a request for comment from Forbes.
Using the online alias “erratic,” Thompson allegedly talked about the files she accessed in a Slack group and in a direct message on Twitter, the court documents say.
“I’ve basically strapped myself with a bomb vest, f*cking dropping capital ones dox and admitting it. I wanna distribute those buckets I think first. There are ssns… with full names and dob,” a Twitter direct message sent from Thompson reads. A screenshot of the message was included in the court documents.
Thompson allegedly posted the information from the hack on her Github profile, which included a link to her résumé, leading the FBI to her. Github is an online service that allows users to upload and store code.
Forbes was unable to reach Thompson for comment.
The hack occurred on March 22 or 23, the court documents say, but no one at Capital One knew the bank had been breached until four months later when an anonymous security researcher alerted them.