Lily Hay Newman covers information security, digital privacy, and hacking for WIRED.Capital One said in a statement on Monday that the stolen data related to credit card applicants and current credit card customers. The breach also affects six million Canadians, including one million Canadian Social Insurance numbers, in addition to the more than 100 million US consumers impacted.
"Capital One immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement," the bank said. "The FBI has arrested the person responsible and that person is in custody. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate."Capital One discovered the breach on July 19. The FBI connected the incident to Thompson quickly, the criminal complaint says, because it was so easy to link the Github page where she posted the stolen data to her handle and real identity. From there, investigators searched Thompson's communications and worked backward to see if Capital One's system logs matched the timeline of Thompson's alleged online activity.Thompson allegedly used the anonymity network Tor and the VPN IPredator while breaching Capital One, exfiltrating data, and posting it to GitHub in April, and seemed confident that they would protect her identity. But these tools are far from foolproof ways of covering your tracks, especially when you're also posting about your actions on accounts linked to your real identity.One screenshot of a Slack conversation from the criminal complaint shows an unnamed individual saying "sketchy shit, don't go to jail plz," after Thompson allegedly posted a link to the stolen data. A user named "erratic" replied, "I wanna get it off my server thats why Im archiving all of it lol. its all encrypted. I just don't want it around though."Another screenshot shows some of Thompson's alleged messages sent over Twitter direct messages. "Ive basically strapped myself with a bomb vest, fucking dropping capitol ones dox and admitting it. I wanna distribute those buckets i think first. There ssns...with full name and dob."The criminal complaint says that the resume on Thompson's alleged GitHub account reported that she was a systems engineer from 2015 to 2016 at the same cloud computing company she breached in the intrusion. The Wall Street Journal reported on Monday that the company is Amazon Web Services. AWS did not immediately return WIRED's request for comment.
The WIRED Guide to Data Breaches
As in the physical world, it's fairly difficult to disconnect your online actions from your real identity . This presents a hurdle for people like activists, political dissidents, and whistleblowers, but is also a challenge that criminal hackers attempt to overcome with varying degrees of sophistication and success. Tools like VPNs and Tor can lend a false sense of protection to those that don't really know how to fully conceal their actions, though."Under optimal conditions, in principle tools like Tor can isolate your footprints," says Kenn White, director of the Open Crypto Audit Project. "The problem is nothing is really useful in isolation. People use social media, they use familiar, known handles. It is very hard to compartmentalize your life online, and it only takes one mistake to be caught, particularly for crimes of this magnitude."Still, online criminals, fraudsters, and other malicious hackers are caught relatively rarely, and successful investigations usually take many months or years. This in itself raises some questions about how easily and quickly law enforcement traced the alleged hacker in the Capital One breach. In the case of the massive 2017 Equifax hack , for example, investigators still have not publicly named a culprit or motive.
Capital One estimates that responding to the incident will cost $100 million to $150 million in the short term. But, as usual, consumers are the true victims . Monitor your financial accounts and credit reports for any unusual activity and make sure your digital accounts all have strong passwords and two factor authentication enabled to avoid or quickly catch attempts to invade your digital life. Though in the case of the Capital One incident, it's possible that the data is not actually in public circulation, even though it was posted for nearly three months.
"The multi-million dollar question is who has the dump," White says, "whether anyone grabbed it before the arrest."
- High drama: A cannabis biotech firm roils small growers
- Lunar mysteries that science still needs to solve
- Are super automatic espresso machines worth it?
- The best algorithms don't recognize black faces equally
- These hackers made an app that kills to prove a point
- 🏃🏽♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers , running gear (including shoes and socks ), and best headphones .
- 📩 Get even more of our inside scoops with our weekly Backchannel newsletter
How to diversify Bhutan’s economy?