The Washington PostDemocracy Dies in Darkness

Capital One says data breach affected 100 million credit card applications

Capital One revealed July 29 that personal information of about 100 million bank customers in the U.S. were stolen by a hacker. (Video: Reuters)

Capital One, the Virginia-based bank with a popular credit card business, announced Monday that a hacker had accessed about 100 million credit card applications, and investigators say thousands of Social Security and bank account numbers were also taken.

The FBI has arrested a Seattle-area woman, Paige A. Thompson, on a charge of computer fraud and abuse, according to court records.

The hack appears to be one of the largest data breaches ever to hit a financial services firm. In 2017, the credit-reporting company Equifax disclosed that hackers had stolen the personal information of 147 million people. Last week, it reached a $700 million settlement with U.S. regulators over that breach.

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Richard D. Fairbank, Capital One’s chairman and chief executive. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

Find out why you shouldn't use symbols or caps in passwords, and what you should use instead to keep your data safe. (Video: Jhaan Elker/The Washington Post)

Capital One looked to the cloud for security, but its own firewall couldn’t stop a hacker

The hack is expected to cost the company between $100 million and $150 million in the near term, Capital One said.

In announcing the data breach, Capital One emphasized that no credit card numbers or log-in credentials were compromised, nor was the vast majority of Social Security numbers on the affected applications.

It is unusual in a major hacking case for a suspect to be apprehended so quickly, and in this case, that was apparently due to boasts made online.

Thompson, who authorities say used the name “erratic” in online conversations, is suspected of “exfiltrating and stealing information, including credit card applications and other documents, from Capital One,” according to a criminal complaint filed in federal court. She was ordered to remain in jail pending a detention hearing scheduled for Thursday, according to court records.

Read the court documents for U.S. v Paige Thompson

A lawyer for Thompson did not immediately respond to a message seeking comment.

Thompson “made statements on social media for evidencing the fact that she has information of Capital One, and that she recognizes that she has acted illegally,” according to the criminal complaint signed by FBI special agent Joel Martini.

In one online posting, “erratic” wrote: “I’ve basically strapped myself with a bomb vest, [expletive] dropping capitol ones dox and admitting it,” according to the complaint.

Paige Thompson, Capital One hacker suspect, left a digital trail

“Although some of the information in those applications (such as Social Security numbers) has been tokenized or encrypted, other information including applicants’ names, addresses, dates of birth and information regarding their credit history has not been tokenized,” the FBI complaint said, and the bank told the bureau that the data includes “likely tens of millions of applications and approximately 77,000 bank account numbers.”

Capital One, which is headquartered in the D.C. suburb of McLean, Va., was alerted to a problem on July 17 after a person in an online discussion group had claimed to have taken large amounts of the company’s data, according to the complaint.

Has your data been compromised? Here’s how to make sure your information is safe after the Capital One hack

The bank investigated and quickly confirmed there was a vulnerability, the court papers said.

The hacker was able to access the Social Security numbers of about 140,000 customers — those who used their Social Security number as their employer identification number in applying for small-business credit cards, the bank said.

Thompson previously worked at an unidentified cloud-computing company that provided data services to Capital One, according to court papers.

Authorities said that in conversations using the messaging service Slack, Paige posted a list of files she claimed to possess, leading another person in the group discussion to reply: “sketchy” and “don’t go to jail plz.”

The “erratic” user replied, “I wanna get it off my server that’s why Im archiving all of it lol . . . its all encrypted,” according to court files.

Based on other postings allegedly made by Thompson last month, the FBI came to suspect she “intended to disseminate data stolen from victim entities, starting with Capital One,” court documents say.