The Seattle programmer accused of stealing the data of more than 100 million Capital One credit card applicants and customers in one of history’s largest bank data breaches was caught allegedly bragging about it online.
Paige Thompson, 33, was arrested Monday in connection with the March hack, which potentially placed 80,000 accounts and 140,000 Social Security numbers at risk.
In a criminal complaint published by The Washington Post, FBI special agent Joel Martini detailed the investigation into Thompson’s lengthy digital trail, which authorities had been alerted to through an anonymous tip.
“There appears to be some leaked” data on GitHub, the individual wrote to Capital One on July 17, referring to a popular software development platform.
The tipster included a link to Thompson’s GitHub page, which revealed her full name, home address and résumé.
On Twitter, she apparently went by the handle “Erratic,” a name she used on messaging platform Slack and social networking site Meetup, allowing authorities to connect the dots, according to the complaint.
A screenshot in the complaint shows that about June 27, she spoke about a hack on Slack. One user, whose name is omitted, writes that Thompson was involved in “sketchy shit,” adding, “don’t go to jail plz.”
“I wanna get it off my server thats why Im archiving all of it lol,” Thompson replies. “its all encrypted.”
Another screenshot of direct messages sent via Twitter on June 18 appears to show Thompson confessing to the crime, boasting about the hack.
“I wanna get it off my server thats why Im archiving all of it lol.”
- Message linked to Paige Thompson included in criminal complaint
“Ive basically strapped myself with a bomb vest, fucking dropping capitol ones dox and admitting it,” she wrote, referring to the act of publishing individuals’ personal or identifying information online.
“I wanna distribute those buckets i think first,” she added, noting that there were “ssns...with full name and dob.”
In a statement released Monday, Capital One said “it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate.”
The bank also noted that no log-in credentials or credit card account numbers had been compromised.
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Capital One Chairman and CEO Richard Fairbank. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
CLARIFICATION: This article has been edited to reflect that the more than 100 million people affected by the data breach include credit card applicants and customers.