Capital One hack exposes data of 100M+ customer accounts

Paige Thompson allegedly obtained 140,000 Social Security numbers, one million Canadian Social Insurance Numbers, and 80,000 bank account numbers all stored unencrypted, CNN reported, citing Capital One and court filings by the U.S. Department of Justice. General information stolen included names, addresses, balances, credit scores, and more, though no logins or credit card numbers.

Thompson previously worked as a software engineer for Amazon Web Services, Capital One's hosting partner. For the break in, which took place on March 22 and March 23, she supposedly exploited settings in a Web app firewall with the intention of sharing the data elsewhere.

In all roughly 100 million Americans were impacted by the hack, plus 6 million Canadians. Capital One is notifying victims and offering them free credit monitoring and identity protection — the bank expects to sink between $100 million and $150 million on those costs as well as tech and legal issues.

Thompson was caught because she posted the information on GitHub using her full name, and even bragged about her heist on Slack and social media, the DOJ said.

"I wanna get it off my server that's why Im [sic] archiving all of it lol," she wrote on Slack.

On Slack, she used the nickname "erratic," the same as her identities on Twitter and Meetup. Her Twitter posting is said to have included claims she wanted to reveal names, birthdays, and Social Security numbers.

The GitHub trove was spotted by someone who notified Capital One, which in turn passed the info along to the FBI. A search of Thompson's home found devices with references to Amazon and Capital One, along with other entities that may or may not have been hacked. Thompson "recognizes that she has acted illegally," according to the DOJ.

Data breaches at major corporations have become almost a semi-regular occurrence, difficult to avoid because of the sheer number of criminal and state actors and the frequent discovery of new vulnerabilities. Such incidents can be costly if not disclosed — Equifax recently agreed to pay upwards of $700 million to settle probes of a breach that exposed 140 million Americans.

Apple has remained relatively immune, though an Israeli firm recently said it could break iCloud's security by installing malware on a target iPhone.