Bank hacker leaves trail of breadcrumbs for FBI

A lone actor has hacked into US bank Capital One in a massive data breach affecting more than 100 million Americans.

Fourteen years’ worth of customer data including 140,000 social security numbers and 80,00 bank account numbers were compromised in the incident.

Capital One became aware of the breach when it received an email linking to a GitHub file of the linked data.

The file contained code for a set of commands that granted access to a cloud server behind a misconfigured firewall and over 700 folders or buckets of data.

Capital One has confirmed it has since fixed the vulnerability on its web applications that are hosted on Amazon Web Services (AWS).

Paige Thompson, 33, – known by the username ‘erratic’ – is the FBI’s main suspect.

She is a former Amazon employee and systems engineer who worked on AWS.

Thompson’s name and GitLab profile was included in the GitHub file dump.

In an affidavit, FBI Special Agent Joel Martini explained how he linked Thompson’s GitHub account to a server list matching IP addresses controlled by the same VPN provider from which the Capital One breach took place.

Martini also tracked Thompson through a Meetup group with “Paige Thompson (erratic)” listed as the organiser.

That group contained a Slack invitation code to a channel on which user ‘erratic’ boasted about files she accessed illegally – and the methods she used to hide her activity.

Martini also linked the Twitter account @0xA3A97B6C with the username ‘ERRATIC’ which had been messaging the person who eventually tipped off Capital One about the data breach.

“I’ve basically strapped myself with a bomb vest, f@#%ing dropping Capital One’s DOX and admitting it,” they said in one message.

Based on this evidence, Martini and other FBI Special Agents executed a search warrant on Thompson’s home earlier this week where they seized devices referencing Capital One and AWS, other potential targets, and further connecting Thompson with the ‘erratic’ alias.

"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," said Capital One Chairman and CEO, Richard Fairbank.

"I sincerely apologise for the understandable worry this incident must be causing those affected and I am committed to making it right."

The felony charges of gaining unauthorised access to information on a financial institution’s computers carries a maximum sentence of five years in prison and a US$250,000 fine.