The ex-Amazon employee accused of hacking into the 5th-largest credit-card company in the US posted about it online, the FBI says

  • A former software engineer named Paige A. Thompson hacked into Capital One’s systems and accessed the information of more than 100 million credit-card applicants and customers, federal prosecutors said. An FBI agent said he tracked her down after she talked about it online.
  • Thompson was arrested by the FBI in Seattle on Monday and charged with a single count of computer fraud and abuse.
  • In the criminal complaint, the FBI agent, Joel Martini, laid out evidence he found on GitHub, Slack, Meetup, and Twitter.
  • Visit Business Insider’s homepage for more stories.

A software engineer in Seattle was behind a Capital One data breach that affected more than 100 million credit-card applicants and customers in the US and Canada, prosecutors alleged in a criminal complaint on Monday.

Paige A. Thompson, a former Amazon employee, was arrested by the FBI in Seattle and appeared in court on Monday. She was charged with a single count of computer fraud and abuse. If convicted, she could face a sentence of up to five years in prison and a $US250,000 fine.


Read more:
Amazon’s cloud was at the heart of the big Capital One hack, even though it doesn’t seem to be at fault

The breach occurred on March 22 and 23, the complaint said. Capital One, the fifth-largest credit-card issuer in the US, said the largest category of compromised information involved consumers and small businesses that applied for credit cards between 2005 and early 2019.

In the complaint, an FBI agent, Joel Martini, laid out evidence he found on GitHub, Slack, Meetup, and Twitter.


Read more:
Capital One says it was hit with data breach, affecting tens of millions of credit card applications

Kevin Mitnick, a computer-security consultant and convicted hacker, also posted on Twitter about the incident.

Scroll down to see the evidence in the complaint that led to Thompson’s arrest:


The criminal complaint alleges that Thompson posted on the code-sharing website GitHub that she had hacked into Capital One.

Department of JusticeA GitHub user’s email to Capital One alerting it to a possible security breach was included in the complaint.

The complaint, filed with the US Attorney’s Office for the Western District of Washington, said Thompson posted on GitHub on April 21 about the leaked information.

The post, dubbed the “April 21 File,” contained “a list of more than 700 folders or buckets of data,” as well as code for three commands to obtain Capital One’s credentials and extract data, the complaint said.

Another user spotted the post and flagged it to Capital One on July 17, the complaint said. Two days later, the credit-card company contacted the FBI, and investigators began looking into the account that posted the information.

The complaint said the GitHub address where the “April 21 File” was posted included Thompson’s full name and a link to a GitLab page that had a résumé indicating she was a systems engineer.


Martini said he found a Slack channel where a user named “erratic,” believed to be Thompson, posted incriminating messages about the information theft.

Department of JusticeThe complaint said ‘erratic’ sent messages about the data breach in a Slack channel.

Martini said he found a group organised by Thompson on a platform called Meetup that had an invitation code for a channel on Slack, a team-chat service.

The complaint said that on June 26, one of the users, “erratic,” believed to be Thompson, posted “a list of files” that they “claimed to possess.”

A screenshot of a Slack conversation included in the complaint showed a user telling “erratic” not to go to jail and “erratic” responding with “I wanna get it off my server thats why Im archiving all of it lol.”


The complaint alleges that Thompson messaged a person on Twitter about the stolen information, saying she had “basically strapped myself with a bomb vest.”

Department of JusticeThe complaint said that a screenshot of a Twitter direct-message conversation showed that a user believed to be Thompson indicated an intention to distribute sensitive information obtained from the security breach.

The complaint said that on June 18, a Twitter user believed to be Thompson exchanged direct messages about the data breach with another person on the site.

A screenshot included in the complaint showed the user saying they wanted to “distribute those buckets” of information they obtained.

Martini said the message indicated that Thompson “intended to disseminate data stolen from victim entities, starting with Capital One.”

The complaint characterised another message in the screenshot as an acknowledgment that the information “buckets” included Social Security numbers with full names and dates of birth tied to the Capital One accounts.

Business Insider Emails & Alerts

Site highlights each day to your inbox.

Follow Business Insider Australia on Facebook, Twitter, LinkedIn, and Instagram.