Capital One Financial Corporation announced Monday that a hacker had illegally accessed data from approximately 100 million people in the United States and 6 million in Canada. Investigators stated that sensitive information, including thousands of Social Security and bank account numbers, were also stolen.
The Federal Bureau of Investigation (FBI) has arrested a 33-year-old Seattle-based woman, Paige A. Thompson aka Erratic, on a single count of computer fraud and abuse. She faces a maximum penalty of five years in jail and a $250,000 fine.
According to Bloomberg, Thompson is a former Amazon Web Services engineer.
The data breach appears to be one of the largest ever to strike a banking institution. Back in 2017, consumer credit reporting agency Equifax revealed that hackers had stolen sensitive information of 147 million people. Just last week, it achieved a $700 million settlement with U.S. regulators over that specific data breach.
The hacker’s malicious actions are expected to cost the company between $100 million and $150 million this year, Capital One stated.
It is uncommon in a massive data breach for a suspect to be detained so soon. According to the criminal complaint, it appears that the hacker has made some poor operational security (OPSEC) mistakes.
In addition to Thompson having made statements on social media that strongly illustrates that she had information regarding Capital One, the hacker might have shared some of the information on a private Slack chat server prior to being caught by law enforcement.
Capital One was notified to a security issue on July 17 after an individual by the handle Erratic had said to have taken large quantities of the firm’s data, according to the criminal complaint.
The banking institution investigated and swiftly affirmed that there was a security vulnerability. Prosecutors alleged that unauthorized access to the bank’s data was through a misconfigured firewall safeguarding one of its applications.
The court papers also show that the hacker had made connections to Capital One’s server from TOR exit nodes.
The press release by Capital One asserts that approximately 140,000 US social security numbers, 80,000 bank account numbers, and 1 million Canadian social insurance numbers were accessed. This may appear little in contrast to the 106 million affected individuals altogether. Nevertheless, this appears to be a considerable amount.
With the amount of personal information compromised by the hacker, it can be used by other hackers to potentially social engineer targeted victims and for identity theft purposes. Cybercriminals are aware of who to target and how to initiate that process.