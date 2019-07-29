WASHINGTON - The FBI has arrested a Seattle-area woman on charges of stealing tens of millions of sensitive customer records from Capital One, the Northern Virginia-based bank with a popular credit card business, including some bank account numbers, according to court papers.
The suspect, Paige Thompson, was arrested early Monday on a charge of computer fraud and abuse, court records say.
Thompson is suspected of "exfiltrating and stealing information, including credit card applications and other documents, from Capital One," according to a criminal complaint filed in federal court. She was ordered to remain in jail pending a detention hearing scheduled for Thursday, according to court records.
The Capital One Financial Corp. hack disclosed Monday appears to be one of the largest data breaches ever to hit a financial services firm. In 2017, the credit-reporting company Equifax disclosed that hackers had stolen the personal information of 147 million people. Last week, it reached a $700 million settlement with U.S. regulators over that hack.
McLean-based Capital One, which is the Richmond region's largest private employer, said in a statement Monday evening that the breach affected about 100 million people in the U.S. and 6 million in Canada.
"Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised," the bank said.
Chairman and CEO Richard D. Fairbank apologized.
"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," he said in the company's statement. "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."
The company said it "immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement. ... Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate."
It is unusual in a major hacking case for a suspect to be apprehended so quickly, and in this case, that was apparently due to boasts made online.
Thompson, who authorities say used the name "erratic" in online conversations, "made statements on social media for evidencing the fact that she has information of Capital One, and that she recognizes that she has acted illegally," according to the criminal complaint signed by FBI special agent Joel Martini.
Capital One was alerted to a problem on July 17, after a person in an online discussion group had claimed to have taken large amounts of the company's data, according to the complaint.
The bank investigated and quickly confirmed there was a vulnerability, the court papers said.
Capital One said in its statement: "The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income."
The bank said the hacker also obtained portions of credit card customer data, including credit scores, credit limits, balances, payment history and contact information, along with fragments of transaction data from a total of 23 days during 2016, 2017 and 2018.
About 140,000 Social Security numbers of credit card customers were compromised, as were about 80,000 linked bank account numbers of secured credit card customers.
"We will notify affected individuals through a variety of channels," Capital One said. "We will make free credit monitoring and identity protection available to everyone affected."
