A former female software engineer with mental health issues and a knack for oversharing on social media, was arrested by the FBI Monday for single-handedly pulling-off one of the most devastating lone-wolf security breaches targeting corporate America.
Paige A. Thompson, 33, listed herself the CEO of her hosting company Netcrave Communications when she hacked into a server containing the personal data of 106 million customers of Capital One Financial Corporation located in the United States and Canada. Capital One is the 10th largest bank in the U.S. by assets.
Thompson gained access to the confidential user data on July 19 by exploiting a misconfiguration of the web application and not the underlying cloud-based infrastructure.
Capital One only revealed the hack Monday. It claims Thompson didn’t steal the data from 106 million customers but only accessed about 140,000 Social Security numbers, 1 million Canadian social insurance numbers, and 80,000 bank account numbers. Thompson also compromised an unknown number of names and addresses of Capital One customers.
Thompson previously worked for Amazon Web Services (AWS) but left the company in 2016.
The U.S. Department of Justice (DOJ) charged Thompson with one count computer fraud and “abuse for an intrusion on the stored data.” In the indictment, DOJ said Thompson hacked into a server hosted by an unnamed cloud computing services company to access personal data of Capital One customers.
Thompson only faces up to five years in prison and a $250,000 fine.
It’s unknown if Thompson released the stolen data or shared it with anyone else, but the DOJ said there is evidence she planned to do so. Thompson wouldn’t have been caught as quickly as she was if it weren’t for her irresistible urge to brag about her exploit online, said the DOJ.
She was undone by her propensity to brag about her successful attack on Capital One and by an informant who told the FBI about what she’d done. FBI special agent Joel Martini said the bureau easily found Thompson because of her boasts and other online clues on GitHub, Twitter, the social network Meetup and the messaging platform Slack.
Thompson often shared information about her mental health issues and her deceased cat Millie on Twitter. She also ran a Meetup group for hackers and programmers in the Seattle area.
The informant sent a note to Capital One’s security hotline email address, informing the company “there appears to be some leaked (Capital One)” data on GitHub.
The FBI discovered the web address for the GitHub page included Thompson’s full name, her resume and her home address. Thompson was arrested at her home in Seattle Monday evening.