A Seattle software engineer who used the screen name “erratic” has been arrested in the theft of account information on 106 million Capital One credit card applicants and customers.
The arrest of Paige Thompson, 33, differentiates the case from the thefts at credit bureau Equifax in 2017 and hotel chain Marriott a year later, which together affected hundreds of millions of people. The Equifax breach prompted congressional hearings and the departure of then-CEO Richard Smith, as public ire grew over the realization that identification data including birth dates and Social Security numbers that are difficult or impossible to alter had been taken.
Capital One, based in McLean, Virginia, learned of the April data breach after Thompson listed file names from so-called buckets of information from the bank on GitHub, a digital platform for software development projects, and discussed plans to archive the data so it wouldn’t be on her servers, according to a criminal complaint filed in U.S. District Court in Seattle. Another user saw the posts, which were made under Thompson’s name and referenced her Twitter alias, erratic, and contacted the lender on July 19, according to the complaint.
“I’ve basically strapped myself with a bomb vest,” read a message sent from Thompson’s Twitter account cited in the complaint, “dropping capitalones dox and admitting it. I wanna distribute those buckets I think first. Their SSNs with full names and dob.”
FBI agents seized numerous digital storage devices in a raid on Thompson’s home on Friday, some of which included references to Capital One and possible other network breaches, the agency said.
No credit card account numbers were compromised, Capital One said in a statement on Monday evening, and more than 99% of Social Security numbers were not. The largest category of information taken was on consumers and small businesses as of the time they applied for credit cards between 2005 and early this year, and included names, addresses, phone numbers, and self-reported income.
So far, the data doesn’t appear to have been shared or used for fraud, the bank said.
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” CEO Richard Fairbank said in a statement. “I sincerely apologize for the understandable worry this incident must be causing those affected, and I am committed to making it right.”