Theillegally accessed data, which was stored on servers rented fromAmazon Web Services, was primarily related to credit cardapplications and included personal information.

Capital One Financial Corp. set up an email address for tipsters— including “white hat” hackers — to alert the company to potentialvulnerabilities in its computer systems. On July 17, the companygot a hit.

“Hello there,” the email said, according to federal prosecutors.“There appears to be some leaked s3 data of yours in someone'sgithub/gist.” A link was provided to an account at GitHub, acompany that allows users to manage and store project revisions,mostly related to software development.

It didn't take Capital One long to figure out who had accessedits files. The GitHub address included a name, Paige Thompson, aformer Amazon.com Inc. employee who used the online nickname“erratic” and discussed her exploits with others, according tofederal prosecutors.

“I've basically strapped myself with a bomb vest, (expletive)dropping capitol ones dox and admitting it,” Thompson allegedlywrote, under the “erratic“ alias, in a June 18 Twitter message.“There ssns…with full name and dob” — an apparent reference toSocial Security numbers.

Damage assessment

It also didn't take Capital One much time to assess the damage.On Monday, it announced that about 100 million people in the U.S.had been impacted by the breach, and another 6 million in Canada.The illegally accessed data, which was stored on servers rentedfrom Amazon Web Services, was primarily related to credit cardapplications and included personal information, like names,addresses and dates of birth, and some financial information,including self-reported income and credit scores.

Most Social Security numbers were protected, but about 140,000were compromised, the bank said. Capital One said it was “unlikelythat the information was used for fraud or disseminated by thisindividual.”

The company described the tipster to the hack as an “externalsecurity researcher.”

Thompson, 33, was charged with computer fraud and abuse. In acourt hearing Monday, she broke down and laid her head on thedefense table. On Tuesday, New York Attorney General Letitia Jamesannounced that her office is opening an investigation into theCapital One breach.

The scale of the breach ranks it as possibly one of thelargest-ever impacting a U.S. bank, although the consequences maybe limited if the data wasn't distributed to others or used forfraud.

Capital One shares fell as much as 6.5 percent Tuesdaymorning, their biggest decline in six months.

Security lapses

The breach shows how hackers can steal vast troves of consumerdata as the result of lapses made by the companies that collect it.In 2017, Equifax Inc. failed to patch a known flaw in its servers,resulting in the theft of 145 million Social Security numbers,along with the names and dates of birth of possibly a third of theU.S. population.

In the Capital One case, Thompson was allegedly able to stealvast buckets of personal data because of an improperly configuredfirewall — among the most basic digital security tools. The banksaid it immediately fixed the problem once it was discovered.

In a complaint filed Monday in Seattle, prosecutors said thatThompson accessed the data at various times between March 12 andJuly 17. A file on her GitHub account, timestamped April 21,contained a list of more than 700 folders and buckets of data,according to prosecutors.

The Capital One data had been stored on servers it contractedfrom a cloud computing company that isn't identified, though thecharges against Thompson refer to information stored on S3, areference to Amazon Web Services' popular data storagesoftware.

An AWS spokesman confirmed that the company's cloud had storedthe Capital One data that was allegedly stolen, and said it wasn'taccessed through a breach or vulnerability in its systems.

Cloud advocate

Capital One has been one of the most vocal advocates for usingcloud services among banks. The lender has said it is migrating anincreasing percentage of its applications and data to the cloud andplans to completely exit its data centers by the end of 2020. Themove will help lower costs, the company has said.

The lender has been the subject of several case studiespublished by Amazon Web Services that noted the cloud servicesprovider has helped the company develop new technologies faster andimprove certain services including its call center.

“We have embraced the public cloud and are well on our way tomigrating our applications and data to the cloud,” Chief ExecutiveOfficer Richard Fairbank told analysts on a conference call inApril. “We are now considered one of the most cloud forwardcompanies in the world.”

Thompson, previously an Amazon Web Services employee, lastworked at Amazon in 2016, a spokesman said. The breach described byCapital One didn't require insider knowledge, he said.

'Wa Wa Wa'

Much of what could be learned about her Monday was informationshe had posted online. On her GitHub Account, she was writing codedealing with The Onion Router, or Tor, an anonymity tool thatallows users to conceal their identities. Capital One investigatorsdetermined that Thompson used it in her hack of the bank, accordingto federal prosecutors.

In online interactions, Thompson suggested she was careful tohide her digital tracks with various security tools, including Tor.But the federal complaint against her outlines relatively simpleways Capital One and the FBI were able to establish her identity,including the name on her GitHub Page.

Thompson was active in the hacking community on Twitter, and shewrote recently about struggling emotionally, and about euthanizingher beloved cat.

On June 27, “erratic” posted about several companies, includingCapital One, in an online group, according to court records.

“don't go to jail plz,” another user wrote.

“Wa wa wa wa, wa wa wa wa wa wa wawaaaaaaaaaaaa,” Thompsonresponded, and later added, “I just don't want it around though. Igotta find somewhere to store it.”

On July 29, Federal Bureau of Investigation agents executed awarrant to search Thompson's residence. In one bedroom, they founddigital devices with files that referenced Capital One and itscloud computing company. The devices also included the alias“erratic.”

Copyright 2019 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.