Capital One, the Virginia-based bank with a popular credit card business, announced Monday that a hacker had access to about 100 million credit card applications, and investigators say thousands of Social Security numbers and bank account numbers were also taken.
The FBI has arrested a Seattle area woman, Paige A. Thompson, on a charge of computer fraud and abuse, according to court records.
The hack seems to be one of the biggest data breaches ever to hit a finance company. In 2017, credit reporting company Equifax revealed that hackers had stolen personal information of 147 million people. Last week it reached a $ 700 million settlement with US regulators over that breach.
"While I am grateful that the perpetrator has been caught, I deeply apologize for what has happened," said Richard D. Fairbank, President of Capital One and CEO. "I regret the understandable concern this incident has to cause to those affected, and I am committed to doing it right."
The hack is expected to cost the company between $ 100 million and $ 150 million in the short term, Capital One said.
In announcing the data breach, Capital One emphasized that no credit card number or login information was compromised, nor was the vast majority of social security numbers for the affected applications.
It is unusual for a major hacking case for a suspect to be arrested so quickly, and in this case, it was due to the apparent boast done online.
Thompson, who authorities say used the name "erratic" in online conversations, is suspected of "filtering out and stealing information, including credit card applications and other documents, from Capital One," according to a criminal complaint filed in federal court. She was ordered to remain in jail pending a custody hearing scheduled Thursday, according to court records.
A Thompson attorney did not immediately respond to a statement of comment.
Thompson "made statements on social media to prove the fact that she has information on Capital One and that she acknowledges that she acted unlawfully," according to the criminal complaint signed by FBI Special Agent Joel Martini.  In a web post, "erratic" wrote: "I was basically excited about a bomb vest, [expletive] and dropping the capitol de dox and admitting it," according to the complaint.
"Although some of the information in these applications ( such as social security numbers) have been tokenized or encrypted, other information, including the applicants' names, addresses, date of birth and information about their credit history, has not been tokenized, "the FBI complaint said, and the bank told the agency that the data in nclude" probably tens of millions applications and about 77,000 bank account numbers. "
Capital One, which is headquartered in the DC suburb of McLean, Va., Was notified of a problem July 17 after a person in an online discussion group had claimed to have taken large amounts of the company's data, according to the complaint.
The bank quickly investigated and confirmed that it was a vulnerability, according to court documents.
The hacker could access Social Security number. of about 140,000 customers – those who used social security numbers as their employer identification number to apply for credit cards for small businesses, the bank said.
Thompson previously worked at an unidentified cloud computing company that provided data services to Capital One, according to court documents.
Authorities said that in conversations using the Slack messaging service, Paige released a list of files she claimed to have, leading the person in the group discussion to answer: "sketchy" and "not go to jail plz."
The "erratic" user replied: "I want it from my server. That's why I file it all lol … everything is encrypted," according to court files.
Based on other posts allegedly made by Thompson last month, the FBI suspected that she "intended to disseminate data stolen from victims, starting with Capital One," court documents say.