A hacker swiped credit card applications, Social Security numbers and bank account information affecting more than 100 million people in the U.S. and Canada from Capital One’s server, the bank announced Monday. Authorities say they arrested a suspect, Seattle software engineer Paige Thompson, after she posted about the incident on social media, the New York Times reports.
“I’ve basically strapped myself with a bomb vest, dropping capital ones dox and admitting it,” Thompson purportedly posted on Slack, prosecutors say.
Her posts on the social network Meetup initially alerted the FBI after the breach on July 20, according to the New York Times. There, Thompson ran a group called Seattle Warez Kiddies for “anybody with an appreciation for distributed systems, programming, hacking, cracking.” From that point, they traced her online activity to other accounts on Twitter and Slack where she allegedly bragged about the hack.
Thompson has been charged with computer fraud and abuse, and faces a maximum sentence of a $US250,000 ($363,638) fine and up to five years in prison, the BBC reported.
According to court documents, the FBI says the hacker took advantage of a “firewall misconfiguration” to breach the bank’s server. Capital One attributed the incident to an exploited “configuration vulnerability,” and said the hacker made off with 140,000 Social Security numbers and 80,000 bank account numbers.
In total, the heist compromised information affecting roughly 100 million people in the United States and another 6 million in Canada.
The bank’s chief executive, Richard D. Fairbank, apologised for the incident in a statement Monday.
“I am deeply sorry for what has happened,” Fairbank wrote. “I sincerely apologise for the understandable worry this incident must be causing those affected, and I am committed to making it right.”
In the wake of the data breach, Capital One is offering free credit monitoring and identity protection to anyone affected.