South Seattle woman arrested, charged in massive data breach of Capital One

By Sara Jean Green The Seattle Times • July 30, 2019 5:30 pm

By Sara Jean Green

The Seattle Times

Federal agents on Monday arrested a 33-year-old South Seattle software engineer who is accused of stealing tens of millions of credit-card applications in a massive data breach of Capital One information, according to the U.S. Attorney’s Office in Seattle.

Paige A. Thompson, also known by the online handle “erratic,” was charged with one count of computer fraud and abuse, according to a federal complaint. Appearing in federal court in Seattle on Monday, Thompson broke down and laid her head down on the defense table during the hearing.

U.S. Magistrate Judge Mary Alice Theiler ordered Thompson to be held and set a bail hearing for Thursday. Thompson faces a maximum penalty of five years in prison and a $250,000 fine.

When agents searched the Beacon Hill house where Thompson lives, they seized several digital devices from her bedroom, according to the complaint. During a preliminary search of the devices, agents saw files that referenced Capital One as well as other entities that may also have been targets of network intrusions, the complaint says.

Thompson was not shy about her work as a hacker, according to the complaint. She is listed as the organizer of a group on Meetup, a social network, called Seattle Warez Kiddies, described as a gathering for “anybody with an appreciation for distributed systems, programming, hacking, cracking.” The F.B.I. noticed her activity on Meetup and used it to trace her other online activities, eventually linking her to posts describing the data theft on Twitter and the Slack messaging service.

According to the complaint against Thompson, she worked as a systems engineer at a cloud-computing company in 2015 and 2016 that rented space on its servers to Capital One. She is accused of exploiting a faulty configuration in Capital One’s firewall to access the company’s secure data.

In June, Thompson posted a list of files she claimed to possess and named a variety of companies, government entities and educational institutions, including Capital One, the complaint says. When someone responded to her post, writing, “don’t go to jail plz,” Thompson wrote that she wanted the Capital One files off her server, that the data was encrypted and that she had used a variety of tools and relays to conceal her computer’s IP address, according to the complaint.

Also in June, Thompson tweeted, “I’ve basically strapped myself with a bomb vest, (expletive) dropping capital one dox (documents) and admitting it. I wanna distribute those buckets i think first,” indicating she meant to disseminate the stolen data, says the complaint.

On July 17, someone emailed Capital One, alerting the company about the data breach and including the file address on GitHub, a web-hosting company used primarily for software-development projects. Capital One confirmed the breach and contacted the FBI.

Thompson’s full name was included in the file address, and led agents to her GitHub page, where they also found a copy of her resume, the complaint says.

Most of the data copied from Capital One’s data folders between March and July were primarily credit-card applications and while some of it, such as Social Security numbers, had been encrypted, other information — including names, addresses, dates of birth, and credit-history information — was not, according to the complaint.

“According to Capital One, the data includes data regarding large numbers of applications, likely tens of millions of applications. According to Capital One, that data includes approximately 120,000 Social Security Numbers and approximately 77,000 bank account numbers,” Special Agent Joe Martini wrote in the complaint.

More than 100 million people in the United States and Canada were affected, the company said Monday. The breach also compromised one million Canadian social-insurance numbers — the equivalent of Social Security numbers for Americans.

In a news release Monday, Capital One Financial Corporation notified customers of the data breach and said the Virginia-based company immediately fixed the vulnerability that had been exploited.

The news release says company officials think it is unlikely that the stolen information was disseminated or used for fraud. The largest category of information accessed was information on consumers and small businesses as of the time they applied credit cards from 2005 through early 2019.

While federal agents were sweeping the three-bedroom house where Thompson lives they discovered 20 firearms — both assault-style rifles and handguns — as well as firearm accessories, including bumpstocks, scopes, grips and ammunition, in another bedroom, according to a separate complaint filed against the homeowner, 66-year-old Park Quan.

Quan, who was convicted of being a felon in possession of explosives in 1983 and being a felon in possession of an unregistered machine gun in 1991, was arrested and charged Monday with being a felon in possession of a firearm, federal court records show.

In the 1983 criminal case, Quan and two co-conspirators were linked to a failed contract killing using a truck bomb made of dynamite, according to court records and news reports. The bomb, which the would-be victim found attached to the underside of his pickup in Ocean Shores, Grays Harbor County, had malfunctioned, The Seattle Times reported at the time.

Seattle Times staff reporter Mike Carter contributed to this story, which includes information from Bloomberg and The New York Times.