Capital One Says Hacker Stole Data of 100 Million People

A woman who worked as a software engineer in Seattle hacked into a server holding customer information for Capital One and obtained the personal data of over 100 million people, federal prosecutors said on Monday, in one of the largest thefts of data from a bank.

The suspect, Paige Thompson, left a trail online for investigators to follow, according to court documents in Seattle, where she was charged.

Ms. Thompson, who formerly worked for Amazon Web Services, which hosted the Capital One database that was breached, was not shy about her work as a hacker. She is listed as the organizer of a group on Meetup, a social network, called Seattle Warez Kiddies, described as a gathering for “anybody with an appreciation for distributed systems, programming, hacking, cracking.” The F.B.I. noticed her activity on Meetup and used it to trace her other online activities, eventually linking her to posts describing the data theft on Twitter and the Slack messaging service.

“I’ve basically strapped myself with a bomb vest,” Ms. Thompson wrote in a Slack post, according to prosecutors, “dropping capital ones dox and admitting it.”

Online, she used the name “erratic,” investigators said, adding that they verified her identity after she posted a photograph of an invoice she had received from a veterinarian caring for one of her pets.

According to court papers and Capital One, Ms. Thompson stole 140,000 Social Security numbers and 77,000 bank account numbers in the breach.

More than 100 million people in the United States and Canada were affected, the company said Monday. The breach also compromised one million Canadian social insurance numbers — the equivalent of Social Security numbers for Americans.

“Based on our analysis to date,” the bank said in a statement, “we believe it is unlikely that the information was used for fraud or disseminated by this individual.”

Amazon Web Services hosts the remote data servers that companies use to store their information, but large enterprises like Capital One build their own web applications on top of Amazon’s cloud data, to be able to use the information in ways suited to their needs.

The F.B.I. agent who investigated the breach said in court papers that Ms. Thompson gained access to the sensitive data through a “misconfiguration” of a firewall on a web application that allowed the hacker to communicate with the server where Capital One was storing its information and, eventually, obtain customer files.

Amazon said customers fully control the applications they build, and Capitol One said in a news release that it “immediately fixed the configuration vulnerability” once it discovered the problem. Amazon said it found no evidence its underlying cloud services were compromised.

“I am deeply sorry for what has happened,” the bank’s chief executive, Richard D. Fairbank, said in a statement. “I sincerely apologize for the understandable worry this incident must be causing those affected, and I am committed to making it right.”

While the breach was possible thanks to a security lapse by Capital One, it was aided by Ms. Thompson’s expertise. Amazon said that Ms. Thompson worked at AWS about three years ago and that no insider knowledge or access was required to exploit the misconfigured firewall.

In a breach in 2017, Capital One notified customers that a former employee may have had access for nearly four months to their personal data, including account numbers, telephone numbers, transaction history and Social Security numbers. The company reported a similar breach involving an employee in 2014.

Last week, the credit bureau Equifax settled claims from a 2017 data breach that exposed sensitive information on over 147 million consumers, costing it about $650 million.