The Industry

The Capital One Hacker Did Almost Everything Possible to Get Caught

A Capital One bank.
A massive hack of Capitol One has compromised the sensitive data of 100 million people in the U.S.
Drew Angerer/Getty Images

On Monday, the public learned that Capital One, the third-largest credit card issuer in the country, had experienced a massive hack. The sensitive data of 100 million people in the U.S. and 6 million people in Canada had been compromised, according to a statement from the company, which makes it one of the largest thefts of data from a bank ever. That’s not the only thing that makes the story remarkable. The woman who the U.S. government alleges committed the breach—Paige Thompson, a 33-year-old Seattle resident who went by the name “erratic” online—didn’t just leave a trail of breadcrumbs for investigators to follow. She left whole loaves of bread.

The hack itself is colossal, and as with any data breach, it’s practically impossible to know where the data already is or could eventually end up now that it’s out there. It’s often also hard to find out who did it. Maintaining anonymity online isn’t easy, but dedicated hackers manage it. Thompson, however, didn’t appear interested in staying under the radar at all. Within 10 days of Capital One discovering its systems had been breached, the FBI arrested Thompson, who allegedly accessed the trove of information by breaking into a firewall that had been misconfigured at some point in March.

The breach includes data from tens of millions of credit card applications filed to Capital One between 2005 and 2019, including information on people’s home addresses, phone numbers, email addresses, self-reported income, credit scores, account balances, and other types of information people put on a credit card application. According to a release from Capital One, “no bank account numbers or Social Security numbers were compromised” except for “about 140,000 Social Security numbers of our credit card customers” and “about 80,000 linked bank account numbers of our secured credit card customers.” That’s a pretty big except. And across the border, about 1 million Social Insurance Numbers—Canada’s version of Social Security numbers—were exposed, too.

According to a federal indictment, Thompson posted the data she pilfered on her GitHub profile on April 21, where she had also uploaded her résumé with her full name listed and details about her employment history. Thompson previously worked for Amazon Web Services, of which Capital One is a major client. While it’s not clear if anyone downloaded the data, at least one person did stumble on it—and then alerted Capital One in an email on July 17.

Although Thompson allegedly used the anonymity network Tor as well as a VPN to help mask her activity as she was committing the hack, her operational security fell much laxer after she obtained the data. Thompson appears to have boasted about the stolen data in a Slack channel, according to screenshots shared in the court documents, which was linked in a Meetup.com group she hosted called Seattle Warez Kiddies, described as an event for “anybody with an appreciation for distributed systems, programming, hacking, cracking.” In that Slack group, Thompson, going by the moniker “erratic,” wrote on June 27: “I wanna get it off my server that’s why Im archiving all of it lol.” One of the other members in the Slack group wrote, “sketchy shit. don’t go to jail plz.” In the same Slack channel, Thompson also previously posted a photo of an invoice from a veterinarian for one of her pets, which also included her full name and the same address on the résumé posted to her GitHub page.

The FBI says it also found evidence of Thompson’s involvement with the hack on Twitter, where she posted numerous tweets about computer security and sent direct messages to the person who reported the data breach to Capital One. “I’ve basically strapped myself with a bomb vest, dropping capitol one dox and admitting it. I wanna distribute those buckets I think first,” she wrote.

This isn’t the first time someone who committed a major hack didn’t cover their tracks. Earlier this year the FBI announced it had taken down a team in Russia that used malware to steal bank account information and money thanks in part to advertisements the data thieves posted for cybercrime services. But that hack didn’t compromise anywhere near the number of people affected by the Capital One hack, the damage of which is still unclear.

We’ll likely learn more about Thompson on Thursday, when she appears in court for a hearing.

Have you been notified that you were affected by the Capital One hack? Tell me about it at april.glaser@slate.com.