Capital One Says Data Breach Affected 100 Million Credit Card Applicants

Capital One announced Monday that a hacker breached data of nearly 100 million credit card applicants, and that thousands of bank account and Social Security numbers had been taken in the process.

Court records show that the FBI arrested Paige A. Thompson from Seattle, according to the Washington Post.

Capital One chairman and chief executive Richard D. Fairbank said he was sorry for the breach, and that he was committed to making things right.

"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," Fairbank said. "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."

The Capital One breach is one of the bigger hacks ever on a financial services firm. Capital One said the data breach could cost the company well more than $100 million, maybe upwards of $150 million.

The company based in Virginia said no log-in information had been obtained, nor had most of the Social Security numbers been taken.

Equifax, one of the three major credit-reporting agencies, reported in 2017 that personal information was stolen from 147 million people, and just last week U.S. regulators reached a $700 million settlement in that case.

The arrest in the Capital One case was made rather quickly, mostly because Thompson gloated online.

In a criminal complaint filed in federal court, authorities say Thompson, during online conversations, often used the term "erratic" as a name while posting. They say she is suspected of "exfiltrating and stealing information, including credit card applications and other documents, from Capital One."

Thompson remains in jail while awaiting a detention hearing that is scheduled for Thursday.

FBI special agent Joel Martini signed the criminal complaint that says Thompson "made statements on social media for evidencing the fact that she has information of Capital One, and that she recognizes that she has acted illegally."

In one particular online post, Thompson, or "erratic," wrote: "I've basically strapped myself with a bomb vest, [expletive] dropping capitol ones dox and admitting it."

Thompson's lawyer didn't respond for comment.

"Although some of the information in those applications (such as Social Security numbers) has been tokenized or encrypted, other information including applicants' names, addresses, dates of birth and information regarding their credit history has not been tokenized," the complaint stated.

The bank told the FBI that it's likely "tens of millions of applications and approximately 77,000 bank account numbers" were breached. This includes about 140,000 Social Security numbers.

Capital One first learned of the hacker on July 17, according to the complaint.

Computer Hack Data Breach
Close-up of code on a computer screen for the Apache Struts framework, which was exploited by computer hackers using a Remote Code Execution exploit in order to allegedly steal the personal information of millions of people from credit bureau Equifax, October 2, 2017. Photo by Smith Collection/Gado/Getty Images