Just as Equifax is settling an FTC case on the massive data breach from a couple of summers ago, Capital One had to come forward and admit that it suffered a massive breach of its own, affecting more than 100 million customers in America and Canada. The person responsible is already in custody, however, with the FBI saying she practically admitted everything online.

Capital One said in a press release that the hack was discovered on July 19th, nearly four months after it happened. The bank took immediate measures to patch the issue and worked with law enforcement on the matter.

Nevertheless, the hacker was able to extract data from Capital One’s server, putting at risk up to 100 million US customers and 6 million Canadian clients. The bank doesn’t believe that any of the stolen data was used for fraud or shared with others, but it’s still going to offer free credit monitoring and identity protection services to those affected.

The hacker stole information that Capital One “routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.” On top of that, the hacker stole more data about some Capital One customers:

  • Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
  • Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018
  • About 140,000 Social Security numbers of our credit card customers
  • About 80,000 linked bank account numbers of our secured credit card customers
  • Approximately 1 million Social Insurance Numbers (for Canadian users)

Paige Thompson is the alleged hacker, BBC reports, and she was arrested on Monday after boasting about the breach online. She posted about the data breach on an online forum, with a GitHub user alerting Capital One on July 17th, according to court documents filed by the US justice department. The hacker faces up to five years in prison and a $250,000 fine.

“I’ve basically strapped myself with a bomb vest, dropping capital ones dox and admitting it,” Thompson posted on Slack, per Gizmodo. The New York Times says that her posts on social network Meetup alerted the FBI, who then traced her online activity to Twitter and Slack.