(NBC NEWS)—A former software engineer from Seattle has been arrested in connection with a massive data breach that potentially puts over 100 million Capital One credit card applicants at risk.
Paige A. Thompson, 33, allegedly accessed information from Capital One bank through a faulty web application firewall and then posted the data to an information sharing site, according to a criminal complaint released Monday.
Capital One said in a statement to NBC News on Monday that the breach affects approximately 100 million individuals in the United States and approximately 6 million in Canada.
The bank insists, however, that no credit card account numbers or log-in credentials were compromised and less than one percent of Social Security numbers were compromised.
An unidentified person contacted Capital One on July 17 to report that leaked data belonging to the company appeared to be posted on GitHub, a hosting site often used by software engineers to develop and collaborate on projects.
Capital One staff investigated the posting, which was dated April 21, and saw instructions on how to access the company’s private information through computer code. Internal company logs indicated that the “buckets” of information that the code led to was indeed accessed.
Some of the more sensitive data, including social security information, was encrypted, but information from tens of millions of credit card applications has been put at risk.
About 140,000 Social Security numbers and 80,000 bank accounts were potentially put at risk, according to a statement from the bank Monday.
Information about applicant names, addresses, birth dates and credit history are also at risk.
An FBI cyber investigator matched the Github account name with a former systems engineer for Cloud Computing Company named Paige Thompson, according to the complaint. Further investigation of Thompson showed she allegedly created a messaging channel and claimed in a post to have data obtained using the same code in the April 21 Github post.
The FBI also believes Thompson is behind a Twitter account that sent a private message to Capital One on June 18 claiming to have social security numbers.