The actual crime occurred on March 22nd and 23rd this year. For about 140,000 people the exposure included Social Security Numbers, and for 80,000 their linked bank account numbers as well. The FBI has already arrested the person believed to be responsible, identified in court documents as Paige Thompson, a software engineer from Seattle who went by the handle "erratic." She apparently worked at an unnamed cloud computing provider (we have a couple of guesses) from 2015 to 2016 that Capital One uses to store its data.

The court complaint explains that she exploited a "misconfigured web application firewall" and posted on Github about it. On July 17th, someone saw the post, alerted Capital One via its disclosure process and two days later it confirmed the theft. The FBI linked her to the theft based on the Github posts under her account, messages sent in a Slack channel, DMs on Twitter, and IP logs showing access to the cloud server from the same VPN service used to post the messages on Github.

The company has decided to focus on the fact that credit card numbers and 99 percent of Social Security numbers weren't stolen, but that still leaves a ton of info that Thompson allegedly obtained without being detected until someone told told them about it.

Capital One said it will notify those who had their data stolen (mostly cardholders and people who had applied for cards between 2005 and early 2019), as well as provide free credit monitoring and identity theft protection. While the FBI and Capital One seem to believe Thompson didn't share the information with anyone or use it for fraud, if it were out there it could be used to impersonate those affected, or to create targeted phishing attacks. Thompson will have a hearing on August 1st, facing a charge of computer fraud and abuse that carries a maximum penalty of five years in jail and a $250,000 fine.

Capital One: