WASHINGTON – Capital One, the Virginia-based bank with a popular credit card business, announced Monday that a hacker had access to about 100 million credit card applications, and investigators say thousands of Social Security numbers and bank account numbers were also taken.  According to the FBI, the FBI arrested a Seattle area woman, Paige Thompson, on a charge of computer fraud and abuse.
The hack seems to be one of the biggest data breaches ever to hit a finance company. In 2017, credit reporting company Equifax revealed that hackers had stolen personal information of 147 million people. Last week it reached a $ 700 million settlement with US regulators over that breach.
"While I am grateful that the perpetrator has been caught, I deeply apologize for what has happened," said Richard Fairbank, chairman and chief of the Capital One executive. "I sincerely apologize for the understandable concern this incident has caused to those affected, and I am committed to doing it right."
The hack is expected to cost the company between $ 1
In announcing the data breach, Capital One emphasized that no credit card number or login information was compromised, nor was the vast majority of social security numbers for the applications concerned.
It is unusual in a major hacking case for a suspect to be arrested so quickly, and in this case, it was due to the apparent boast done online.
Thompson, who authorities say used the name "erratic" in online conversations, is suspected of "filtering out and stealing information, including credit card applications and other documents, from Capital One," according to a criminal complaint filed in federal court. She was ordered to remain in jail pending a custody hearing scheduled Thursday, according to court records.
A Thompson attorney did not immediately respond to a statement of comment.
Thompson "made statements on social media to prove the fact that she has information on Capital One and that she acknowledges that she acted illegally," according to the criminal complaint signed by FBI Special Agent Joel Martini.
In one web post, "erratic" wrote: "I basically based myself on a bomb vest, [expletive] and dropped the capitol de dox and admit it," according to the complaint.
"While some of the information in these applications (such as social security numbers) has been tokenized or encrypted, other information, including the applicants' names, addresses, date of birth and information about their credit history, has not been tokenized," the FBI complaint, and the bank told the agency that the data includes "probably tens of millions of applications and about 77,000 bank account numbers."
Capital One, which is headquartered in the Washington suburb of McLean, Virginia, was notified of a problem on July 17 after a a person in an online discussion group had claimed to have taken large amounts of the company's data, according to the complaint.
The bank quickly investigated and confirmed that it was a vulnerability, court documents state.
The hacker was able to access social security numbers to around 140,000 customers – those who used social security numbers as their employer identification number when applying for credit cards for small businesses, the bank said.
Thompson previously worked at an unidentified cloud company that provided data services to Capital One, according to court documents.
Authorities said that in conversations using the Slack messaging service, Paige left out a list of files she claimed to have and led another person in group discussion to answer: "sketchy" and "not go to jail plz."
The "erratic" user replied, "I want it from my server. That's why I archive all that lol … everything is encrypted," according to court documents.
Based on other posts allegedly made by Thompson last month, the FBI suspected that she "intended to disseminate data stolen from victim bodies, starting with Capital One," court documents say.