The New York Times, CNN, and other media outlets recently published articles reporting that a software engineer in Seattle allegedly hacked into a server and obtained the personal data of over 100 million customers at Capital One. While this is not the first time Capital One has faced a major data breach, there were two things that made this case particularly notable. First, the breach is estimated to cost the bank up to $150 million and has been said to be one of the largest bank data breaches in history. Second, and of particular interest to HR leaders: the warning signs of this data breach were available right on public social media.
The suspect was Paige Thompson, 33, a former software engineer at Amazon Web Services, which hosted the database that was breached. Using the online alias “erratic,” Thompson had in many ways the persona typical of a software engineer in Seattle, participating in programming chatter with people in the field. However, her habit of oversharing also left a trail of digital breadcrumbs that led the FBI to her door. Thompson allegedly bragged about the breach on Twitter; shortly after the breach was discovered, she tweeted, “I have a whole list of things that will ensure my involuntary confinement from the world. I’m never coming back.”
Could Capital One have prevented this particular breach using social media data? Well, no. Thompson was not a Capital One employee, and the ‘trail of breadcrumbs’ that identified her as the suspect behind the hack was left after the breach had already occurred. But suppose Thompson was an employee at Capital One, or even Amazon. If that were the case, Amazon and Capital One could have had reams of information that painted a picture of who she was—a skilled programmer with a troubled past—and used social media to help prevent the attack.
Ms. Thompson was a skilled programmer. Her online presence made clear that she organized software engineering communities and meetups, a real positive in the eyes of many employers. According to former friends, she also had “a lot of potential to be very focused and do a lot in this world.” But along with the positive aspects of her profile were a host of troubled behaviors. In addition to her regular tweets, Thompson made many troubling posts over the years, speaking openly and darkly about her mental anguish, suicide ideation and use of both legal and illegal drugs.
Such a combination of data would have helped clue a potential employer in on her motivations. Even though she had allegedly bragged about the hacking, online community members who knew Thompson said they didn’t believe she had carried out the hack with malicious intent or for profit. They said they believed she thought the hack could bring her attention, respect and a new job. That reveals a much more nuanced psychological profile, and indicates that sometimes, an attack affecting hundreds of millions begins with one individual looking for some sort of recognition, more so than they are trying to commit an act of fraud.
“Harassing and threatening online behaviors are of significant concern to HR leaders. Those sorts of behaviors require immediate intervention, whether it’s a termination or legal action. Yet other indicators, such as frequent references to illegal drugs or self-harm, typically cause an employer to intervene with a welcoming or embracing message, to help that employee understand that there's a community that cares about them,” says our CEO Ben Mones.
It’s not hard to imagine how critical it would have been for Amazon to identify these signals early on if Thompson was at Amazon Web Services during the breach—or how a future hack might start with a disgruntled or desperate employee who might just need some recognition or help. Thompson’s story shows how a massive breach can begin with troubled behaviors. It also shows us how many of the warning signs are right under our noses, displayed in plain sight on the public web.