Capital One revealed on Monday that it recently suffered a massive security breach when a hacker gained access to personal information from around 100 million people in the U.S. and around 6 million in Canada.
The Department of Justice simultaneously announced federal authorities had arrested the suspect, Paige A. Thompson, a 33-year-old former Seattle technology company software engineer.
According to a release, Thompson used knowledge of servers and cloud storage to steal data from millions of Capital One credit card applications.
The FBI arrested Thompson Monday for the data theft, which occurred sometime between March 12 and July 17, court records show.
A 66-year-old Seattle man was also arrested alongside Thompson for illegally possessing a cache of about 20 firearms Park Quan was arrested by FBI agents while they served a search warrant on his home.
Quan has two federal convictions for firearms violations and is prohibited from possessing firearms. Agents investigating the data theft were sweeping Quan's home when they found a number of firearms in his bedroom. Agents found several rifles, including what "appeared to be" an AR-15-style rifle and AK-47-style rifle. There were also bump stocks - now illegal in Washington state - scopes and other accessories, and what "appear to be fake grenades," according to the Department of Justice.
Thompson, who also goes by the handle "erratic," made a court appearance Monday and was ordered detained until a hearing Thursday, the Department of Justice said. Thompson was charged with computer fraud and abuse, according to court records. She could face up to 5 years in prison and a $250,000 fine, according to the DOJ.
The McLean, Virginia-based bank said in a release that the "largest category of information accessed" included personal details collected for credit card applications from 2005 through early 2019. The information included applicants' names, addresses, zip codes, phone numbers, e-mail addresses, dates of birth and self-reported income.
The bank emphasized that it believes no credit card account numbers or log-in credentials were compromised. However, it said about 140,000 credit card customers had their Social Security numbers exposed, and 80,000 bank account numbers linked to credit cards were compromised.
It plans to offer free credit monitoring services to those affected.
The company added that based on its analysis so far they believe it's unlikely the information "was used for fraud or disseminated by this individual."
Court documents allege Thompson posted on the sharing site GitHub about stealing information from servers that stored Capital One data. She was reportedly able to get in through a misconfigured firewall.
On July 17, another user who saw Thompson's post on GitHub alerted Capital One that a hacker may have stolen some of its data, according to court documents.
Capital One explained that it confirmed two days later, on July 19, that an outside individual had indeed obtained "certain types of personal information relating to people who had applied for its credit card products and to Capital One credit card customers. The company then alerted the FBI.
According to the FBI complaint, a month before a Twitter user who went by "erratic" sent another user direct messages warning about distributing the bank's data, including names, birthdates and Social Security numbers. That user later reported the message to Capital One.
"Ive basically strapped myself with a bomb vest, (expletive) dropping capitol ones dox and admitting it," one said. "I wanna distribute those buckets i think first."
On Monday morning, the FBI executed a search warrant at Thompson's home and seized storage devices that contained a copy of the data, according to the U.S. Attorney's Office for the Western District of Washington.
“Capital One quickly alerted law enforcement to the data theft -- allowing the FBI to trace the intrusion,” said U.S. Attorney Moran. “I commend our law enforcement partners who are doing all they can to determine the status of the data and secure it.”
Capital One's CEO said they were grateful the hacker has been caught, but are "deeply sorry for what has happened."
"I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right," CEO Richard D. Fairbank said in a statement.
Monday's disclosure comes just one week after Equifax announced it would be paying up to $700 million to settle lawsuits over its 2017 data breach.
Capital One has set up a website for customers to see updated information about the incident and the company's response. It expects the incident to cost the company $100 to $150 million.
The average cost of a data breach in the U.S. last year was just under $8 million, according to a study by IBM Security and Ponemon Institute.
According to USA TODAY, the Capital One incident is among the top 10 biggest data breaches in history.
The Associated Press contributed to this report.