The FBI arrested a woman named Paige A. Thompson for allegedly gaining access to more than 100 million Capital One customers' data earlier this year. It was one of the biggest breaches ever.
The US Department of Justice's complaint against Thompson presents a picture of a woman who was clever enough to find a trove of personal information from America's seventh-largest bank, but not careful enough to cover her tracks.
Thompson is a 33-year-old living in Seattle who had previously worked as a systems engineer for a cloud hosting company that Capital One used. The Justice Department complaint didn't name the cloud company, but Amazon Web Services confirmed her former employment to CNN Business, noting she left the company three years before the breach.
The FBI raided Thompson's home in Seattle's Beacon Hill neighborhood. One of her roommates provided surveillance video of the raid to Q13 News and told us more about what happened.
"It was around 6. We woke up to a loud bang, and we went out to look in the hallway and one of the housemates, went to open the door and about 10 M4s were in our face, and an FBI raid team, they were cuffing her ... and we came out into the hallway to figure out what was going on," said the roommate, who asked not to be identified.
Roommates told Q13 that FBI agents asked if they knew what Thompson was up to. They said they were clueless, but did note that she may not have done this maliciously.
The complaint alleges Thompson gained access to an Amazon server, taking advantage of a web app that Capital One configured incorrectly.
In the documents, FBI investigator Joel Martini alleges Thompson used the alias "erratic" for several of her online accounts including Twitter, Meetup and Slack.
The documents include screenshots from a discussion in Slack, a chat service typically used by businesses and other groups, in which Thompson, as "erratic," allegedly posted a list of Capital One files she claimed to possess. She allegedly explained the command she used to extract files in a Capital One directory stored on Amazon servers.
"I wanna get it off my server that's why Im archiving all of it lol," Thompson allegedly posted on Slack.
The agency also alleges that Thompson made statements on social media about possessing Capital One data. The complaint listed a Twitter handle that allegedly belongs to Thompson, @0xa3a97b6c, that was still live as of Tuesday morning.
"Ive basically strapped myself with a bomb vest, f---ing dropping Capital One's dox and admitting it," Thompson allegedly wrote a private message via Twitter to the person who later reported the breach.
The Justice Department also said Thompson posted "information obtained from the intrusion" to a page on GitHub, a software development site where programmers can post projects. On the page that allegedly belongs to her, Thompson included her full first, middle and last name.
Thompson allegedly messaged via Twitter the person who reported the breach to Capital One, saying she wanted to distribute the names, Social Security numbers and dates of birth for the customers whose records she breached.
Thompson is also a pet owner, according to the complaint. Part of the digital breadcrumb trail the investigators followed included a Slack post from the "erratic" user about a veterinarian's estimate for care for "one of her pets," the complaint said.
Capital One said the breached information includes 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, in addition to an undisclosed number of people's names, addresses, credit scores, credit limits, balances, and other information.