A very not so smart woman named Paige Adele Thompson has been identified as the suspect behind the massive Capital One data breach that compromised the personal data of more than 100 million people.
Thompson, a former Amazon employee, was arrested by the FBI in Seattle on Monday (Jul. 29) and was charged with a single count of computer fraud and abuse after she hacked into Capital One’s systems and gained access to private information.
An FBI agent said the feds were easily able to track her down after she bragged about her criminal activity online via Twitter, Slack, GitHub and Meetup.
More via Business Insider:
The breach occurred on March 22 and 23, the complaint said. Capital One, the fifth-largest credit-card issuer in the US, said the largest category of compromised information involved consumers and small businesses that applied for credit cards between 2005 and early 2019.
In the complaint, an FBI agent, Joel Martini, laid out evidence he found on GitHub, Slack, Meetup, and Twitter.
The complaint, filed with the US Attorney’s Office for the Western District of Washington, said Thompson posted on GitHub on April 21 about the leaked information.
The post, dubbed the “April 21 File,” contained “a list of more than 700 folders or buckets of data,” as well as code for three commands to obtain Capital One’s credentials and extract data, the complaint said.
Another user spotted the post and flagged it to Capital One on July 17, the complaint said. Two days later, the credit card company contacted the FBI, and investigators began looking into the account that posted the information.
The complaint said the GitHub address where the “April 21 File” was posted included Thompson’s full name and a link to a GitLab page that had a resume indicating she was a systems engineer.
Martini said he found a group organized by Thompson on a platform called Meetup that had an invitation code for a channel on Slack, a team-chat service.
The complaint said that on June 26, one of the users, “erratic,” believed to be Thompson, posted “a list of files” that they “claimed to possess.”
A screenshot of a Slack conversation included in the complaint showed a user telling “erratic” not to go to jail and “erratic” responding with “I wanna get it off my server thats why Im archiving all of it lol.”
The complaint said that on June 18, a Twitter user believed to be Thompson exchanged direct messages about the data breach with another person on the site.
A screenshot included in the complaint showed the user saying they wanted to “distribute those buckets” of information they obtained.
Martini said the message indicated that Thompson “intended to disseminate data stolen from victim entities, starting with Capital One.”
The complaint characterized another message in the screenshot as an acknowledgment that the information “buckets” included Social Security numbers with full names and dates of birth tied to the Capital One accounts.
So you were smart enough to hack into Capital One, but not smart enough to not brag about it all over the internet?
If an award for dumbest criminal of the year existed, Paige A. Thompson would definitely be nominated.
The indictment of Paige Thompson clearly indicates she wanted to be caught.
Breaking into Capitol One and posting about in Slack is beyond stupid.
Her time should have been spent on bug bounties rather than unauthorized intrusions.
Lessons learned?https://t.co/novW4OLsX2— Kevin Mitnick (@kevinmitnick) July 30, 2019
Thompson appeared in court Monday. If convicted as charged, she could face up to five years in prison, as well as a $250,000 fine.