A Seattle software engineer who used the screen name “erratic” has been arrested in the theft of account information on 106 million Capital One credit card applicants and customers.
While the capture of Paige Thompson, 33, differentiates the case from the thefts at credit bureau Equifax in 2017 and hotel chain Marriott a year later, which together affected hundreds of millions of people, it’s still likely to increase pressure on Congress to pass a federal privacy standard. The Equifax breach prompted fiery congressional hearings and the departure of then-CEO Richard Smith, as public ire grew over the realization that identification data including birth dates and Social Security numbers that are difficult or impossible to alter had been taken.
Capital One, based in McLean, Virginia, learned of the April data breach after Thompson listed file names from so-called buckets of information from the bank on GitHub, a digital platform for software development projects, and discussed plans to archive the data so it wouldn’t be on her servers, according to a criminal complaint filed in U.S. District Court in Seattle. Another user saw the posts, which were made under Thompson’s name and referenced her Twitter alias, erratic, and contacted the lender on July 19, according to the complaint.
“I’ve basically strapped myself with a bomb vest,” read a message sent from Thompson’s Twitter account cited in the complaint, “dropping capitalones dox and admitting it. I wanna distribute those buckets I think first. Their SSNs with full names and DOB.”
FBI agents seized numerous digital storage devices in a raid on Thompson’s home on Friday, some of which included references to Capital One and possible other network breaches, the agency said.
No credit card account numbers were compromised, Capital One said in a statement on Monday evening, and more than 99% of Social Security numbers were not. The largest category of information taken was on consumers and small businesses as of the time they applied for credit cards between 2005 and early this year, and included names, addresses, phone numbers, and self-reported income.
So far, the data doesn’t appear to have been shared or used for fraud, the bank said.
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” CEO Richard Fairbank said in a statement. “I sincerely apologize for the understandable worry this incident must be causing those affected, and I am committed to making it right.”
The breach occurred amid growing support from businesses as well as consumer advocates for a uniform privacy regulation in the U.S. Earlier this year, the heads of the largest U.S. companies urged Congress to replace a widening array of conflicting state laws on the collection and use of personal data with a nationwide standard.
Some 80 percent of CEOs surveyed by the Business Roundtable, which represents the 200 biggest U.S. businesses with a combined payroll of 15 million people, say a federal statute is important. Privacy advocates worried by massive breaches at companies from Marriott to social media giant Facebook want action, too, though they worry that Congress might ultimately weaken protections in states like California, whose new law will allow residents to review the data that companies hold on them and block firms from selling that information
The cyberattack that Marriott disclosed in late November affected 327 million people, a number larger than the entire population of the United States, dwarfing even the theft of information on more than 140 million people at Equifax.
“Hackers are more sophisticated and targeted with their attacks than ever before, resulting in massive vulnerabilities for even the world’s largest organization,” said Peter Martini, co-founder of cloud cyber-security firm iboss. “These threats are made worse by the distributed nature of today’s workforce, with employees using their own devices and constantly accessing cloud-based applications. Consumers and companies alike need to recognize the current threats to their personal information and implement the necessary barriers to protect themselves.”
