LOS ANGELES • A hacker accessed more than 100 million credit card applications with United States financial heavyweight Capital One, the firm has said, in one of the biggest data thefts to hit a financial services company.
FBI agents arrested Paige Thompson, 33, a former Seattle technology company software engineer, after she boasted about the data theft on information-sharing site GitHub, the authorities said.
"The intrusion occurred through a misconfigured Web application firewall that enabled access to the data," a statement by the US attorney's office in the north-western state of Washington said.
"On July 17, 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered a data theft."
It said the Virginia-based bank, which specialises in credit cards, contacted the Federal Bureau of Investigation after confirming the data theft, which took place between March 12 and July 17 this year.
"According to Capital One, the data includes data regarding large numbers of (credit card) applications, likely tens of millions of applications," according to the criminal complaint.
In a statement, Capital One said the hack affected 100 million individuals in the US and six million in Canada.
"Importantly, no credit card account numbers or log-in credentials were compromised, and over 99 per cent of social security numbers were not compromised," the bank said.
Thompson, who used the alias "erratic" in online conversations, allegedly posted several times about the data theft on GitHub and social media.
One posting on a Twitter account with the user name "erratic" read: "I've basically strapped myself with a bomb vest ... dropping capital ones dox and admitting it," according to the complaint.
The authorities said electronic storage devices containing a copy of the stolen data were allegedly recovered at her residence on Monday.
Capital One said some of the information stolen, such as social security numbers, is encrypted or tokenised.
Other information including names, addresses, dates of birth and credit card history was not secured.
The company said it expects the breach to cost between US$100 million (S$137 million) and US$150 million.
Thompson faces up to five years in prison and a US$250,000 fine if convicted on the charge of computer fraud.