Capital One hacker who stole personal info on 100M arrested

The FBI arrested a former software engineer from Seattle on charges of compute fraud and abuse after she accessed Capital One Financial Corporation data through a misconfigured web application firewall and stole Social Security numbers, names, birthdates, bank account numbers and other personal information on more than 100 million people.

Paige A. Thompson, 33, posted on GitHub about
the hack, which occurred between March 12 and July 17. Another GitHub user
contacted Capital One and after the financial company confirmed the intrusion
and theft, it alerted the FBI on July 19.

“Capital One quickly alerted law enforcement to the data theft
— allowing the FBI to trace the intrusion,” U.S. Attorney Brian T. Moran said in a release. 
“I commend our law enforcement partners who are doing all they can to determine
the status of the data and secure it.”

The charging complaint
against Thompson cites posts on GitHub in which, using the handle “erratic,”
she discusses the breach, including the method used to access the data and her
plans to distribute it. 

“While details are
still unfolding, I think I have more questions than answers at the present
time. What system did the perpetrator have access to? How was access monitored?
Did she have admin access?  How was she able to exfiltrate so many records
without triggering any alerts?” asked Terence Jackson, CISO at Thycotic. “This
is yet another example of why castle and moat security isn’t effective anymore.
The threats are already inside.”

Security pro Chris
Morales, head of security analytics at Vectra, expects it will take a few days
before details are known. “It’s still early, and I think this one is going to
develop out a bit more. However, I wouldn’t put it at the same level as the
Equifax breach,” he said. “What was exploited was a website vulnerability that
gave access to credit card applications, including 140,000 social security
numbers and 80,000 linked bank account numbers.”