Tens of Millions of Credit Card Applications Stolen in Capital One Breach

The FBI arrested a Seattle woman Monday morning for the alleged theft of tens of millions of Capital One customer data spanning 14 years.

Paige Thompson allegedly stole more than a million U.S. and Canadian social security numbers, 77,000 bank account numbers, and a trove of other data from tens of millions of people who applied for Capital One credit cards. A Capital One press release said that, in total, roughly 100 million U.S. customers were affected, as were 6 million Canadian ones. 

Paige Thompson allegedly bragged about having the information online: “I’ve basically strapped myself with a bomb vest, [expletive] dropping capitol ones dox and admitting it,” she wrote in one post, The Washington Post reported. At federal court Monday, she was ordered to remain in jail until her scheduled Thursday hearing, according to Bloomberg.

She allegedly accessed all the information people would offer when applying for credit cards: self-reported income, credit scores, cash balances, names, addresses, zip codes/postal codes, phone numbers, email addresses, and dates of birth. The theft allegedly occurred between March 12 and July 17, and a security researcher discovered the flaw ten days ago.

Thompson was charged with one count of computer fraud and abuse and faces a maximum penalty five years in prison and a $250,000 fine. Court documents say she previously worked for a cloud computing company that provided services to Capital One. She intended to disseminate the data, according to the documents, but likely did not. 

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” Richard Fairbank, chairman and CEO of Capital One, said in a statement. The bank said it fixed the vulnerability that allowed Thompson access and verified that no one else had breached its databases. It did not immediately respond to request for comment. 

According to Capital One’s press release, most of the credit cards affected by the breach were “not compromised.” 

The breach comes less than a week after Equifax announced a $700 million settlement over its lax handling of hundreds of millions of customers’ financial information.