Published on July 30th, 2019 📆 | 5398 Views ⚑
0The Capital One hacker did almost everything possible to get caught.
On Monday, the public learned that Capital One, the third-largest credit card issuer in the country, had experienced a massive hack. The sensitive data of 100 million people in the U.S. and 6 million people in Canada had been compromised, according to a statement from the company, which makes it one of the largest thefts of data from a bank ever. Thatâs not the only thing that makes the story remarkable. The woman who the U.S. government alleges committed the breachâPaige Thompson, a 33-year-old Seattle resident who went by the name âerraticâ onlineâdidnât just leave a trail of breadcrumbs for investigators to follow. She left whole loaves of bread.
The hack itself is colossal, and as with any data breach, itâs practically impossible to know where the data already is or could eventually end up now that itâs out there. Itâs often also hard to find out who did it. Maintaining anonymity online isnât easy, but dedicated hackers manage it. Thompson, however, didnât appear interested in staying under the radar at all. Within 10 days of Capital One discovering its systems had been breached, the FBI arrested Thompson, who allegedly accessed the trove of information by breaking into a firewall that had been misconfigured at some point in March.
The breach includes data from tens of millions of credit card applications filed to Capital One between 2005 and 2019, including information on peopleâs home addresses, phone numbers, email addresses, self-reported income, credit scores, account balances, and other types of information people put on a credit card application. According to a release from Capital One, âno bank account numbers or Social Security numbers were compromisedâ except for âabout 140,000 Social Security numbers of our credit card customersâ and âabout 80,000 linked bank account numbers of our secured credit card customers.â Thatâs a pretty big except. And across the border, about 1 million Social Insurance NumbersâCanadaâs version of Social Security numbersâwere exposed, too.
According to a federal indictment, Thompson posted the data she pilfered on her GitHub profile on April 21, where she had also uploaded her rĂŠsumĂŠ with her full name listed and details about her employment history. Thompson previously worked for Amazon Web Services, of which Capital One is a major client. While itâs not clear if anyone downloaded the data, at least one person did stumble on itâand then alerted Capital One in an email on July 17.
Although Thompson allegedly used the anonymity network Tor as well as a VPN to help mask her activity as she was committing the hack, her operational security fell much laxer after she obtained the data. Thompson appears to have boasted about the stolen data in a Slack channel, according to screenshots shared in the court documents, which was linked in a Meetup.com group she hosted called Seattle Warez Kiddies, described as an event for âanybody with an appreciation for distributed systems, programming, hacking, cracking.â In that Slack group, Thompson, going by the moniker âerratic,â wrote on June 27: âI wanna get it off my server thatâs why Im archiving all of it lol.â One of the other members in the Slack group wrote, âsketchy shit. donât go to jail plz.â In the same Slack channel, Thompson also previously posted a photo of an invoice from a veterinarian for one of her pets, which also included her full name and the same address on the rĂŠsumĂŠ posted to her GitHub page.
The FBI says it also found evidence of Thompsonâs involvement with the hack on Twitter, where she posted numerous tweets about computer security and sent direct messages to the person who reported the data breach to Capital One. âIâve basically strapped myself with a bomb vest, dropping capitol one dox and admitting it. I wanna distribute those buckets I think first,â she wrote.
This isnât the first time someone who committed a major hack didnât cover their tracks. Earlier this year the FBI announced it had taken down a team in Russia that used malware to steal bank account information and money thanks in part to advertisements the data thieves posted for cybercrime services. But that hack didnât compromise anywhere near the number of people affected by the Capital One hack, the damage of which is still unclear.
Weâll likely learn more about Thompson on Thursday, when she appears in court for a hearing.
Have you been notified that you were affected by the Capital One hack? Tell me about it at april.glaser@slate.com.
Gloss