Woman Charged As Hacker In Capital One Data Breach Exposing Over 100 Million Customers

Enlarge this image toggle caption Jeff Chiu/AP Jeff Chiu/AP

A woman has been charged in connection with a hacking breach at Capital One bank that exposed information from more than 100 million credit applications over a 14-year period – what is thought to be one of the largest such attacks in recent years.

Authorities in Seattle have charged Paige A. Thompson, who also goes by the handle "erratic," with a single count of computer fraud. She appeared in court on Monday and is scheduled for a detention hearing on Thursday.

Thompson is accused of hacking credit scores, balances, income information and Social Security numbers from a total of 100 million people in the U.S. and 6 million in Canada.

Virginia-based Capital One, the nation's seventh-largest bank, acknowledged the breach in a statement on Monday, but said it believed the hacked information was not used in any actual fraud.

"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," said Richard D. Fairbank, chairman and CEO, in a statement. "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."

The hacked data consists of information from credit card applications from individuals and small businesses, mostly from 2005 to early 2019. That includes 140,000 Social Security numbers and 80,000 linked bank account numbers from secured credit card consumers.

According to a criminal complaint in U.S. District Court for the Western District of Washington at Seattle, some of the information was posted to GitHub, a software development platform owned by Microsoft.

The complaint says Thompson boasted in Twitter direct message about having obtained the data, saying she had "basically strapped myself with a bomb vest, [expletive] dropping capitol ones dox and admitting it."

"I wanna distribute those buckets I think first," "erratic" wrote in a Twitter message late last month. "There ssns ... with full name and dob."

toggle caption Department of Justice / Screenshot by NPR

According to the complaint, the FBI searched a bedroom believed to belong to Thompson and seized "numerous digital devices."

"During the initial search of some of these devices, agents observed files and items that referenced Capital One and the Cloud Computing Company, other entities that may have been the targets of attempted or actual network intrusions, and "erratic" aliases associated with Paige A. Thompson."

Capital One says it found a vulnerability in its system on July 19, just two days after receiving an email alerting it that some of its data had appeared on Github. It then asked for the FBI's help.

The bank says it will contact affected customers and make free credit monitoring and protection available to them.

Last week, credit bureau Equifax agreed to pay $700 million to consumers in connection with a similar breach that occurred two years ago.

Editor's note: Capital One is a financial sponsor of NPR.