NEW YORK–Capital One said a hacker gained accessto more than 100 million Capital One customers' accounts and credit card applications earlier this year. The hacker has been arrested. The company said the breached data included 140,000 Social Security numbers, one-million Canadian Social Insurance numbers and 80,000 bank account numbers, in addition to an undisclosed number of names, addresses, credit scores, credit limits, balances, and other information.
The company said "no credit card account numbers or log-in credentials were compromised and over 99% of Social Security numbers were not compromised.” One-hundred million of the breached accounts involved U.S. residents; six-million were Canadian.
According to the Department of Justice, Paige Thompson, 33, has been arrested in connection with the breach. The DoJ is alleging Thompson "posted on the information sharing site GitHub about her theft of information from the servers storing Capital One data."
The Department of Justice said Thompson had previously worked as a tech company software engineer and was able to gain access by exploiting a misconfigured web application firewall.
According to a report by Bloomberg, Capital One Financial Corp. has in place an email address for tipsters -- including "white hat" hackers -- to alert the company to potential vulnerabilities in its computer systems. On July 17, the company "got a hit," Bloomberg reported.
“Hello there,” the email said, according to federal prosecutors as quoted by Bloomberg. “There appears to be some leaked s3 data of yours in someone’s github/gist.” A link was provided to an account at GitHub, a company that allows users to manage and store project revisions, mostly related to software development.
In short order, Capital One figured out who had accessed its files, Bloomberg reported. The GitHub address included a name, Paige Thompson, a former Amazon.com Inc. employee who used the online nickname "erratic" and discussed her exploits with others, according to federal prosecutors, Bloomberg said.
“I’ve basically strapped myself with a bomb vest, (expletive) dropping capitol ones dox and admitting it," Thompson allegedly wrote, under the "erratic" alias, in a June 18 Twitter message. “There ssns...with full name and dob” -- an apparent reference to Social Security numbers, Bloomberg said.
Capital One said the hack took place on March 22-23 and that it has since fixed the vulnerability, adding it believes it is "unlikely that the information was used for fraud or disseminated by this individual." The investigation continues, however.
"I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right," Capital One CEO Richard Fairbank said in a statement.
Capital One said it plans to notify people affected by the breach and will make free credit monitoring and identity protection available.