US arrests 'erratic' hacker over data theft

US federal authorities late Monday arrested a female hacker, alias "erratic," on charges of stealing personal information from more than 100 million Capital One credit card applications.

Europol has identified the financial sector as one of the most vulnerable to cyberattacks, especially those resulting in data breaches.

Read more: Europe's cybersecurity gap threatens infrastructure, elections

What we know about the hack:

• Those affected include 100 million people in the US and 6 million in Canada.
• The victims were mostly consumers and small businesses.
• Information about credit limits, balances, transaction information and Social Security numbers were compromised.
• The hacker did not acquire credit card account numbers.
• Capital One discovered the breach on July 19.
• "Other entities" besides Capital One may have been targeted.

Read more: Germany struggles to step up cyberdefense

'Deeply sorry'

The US attorney's office in Washington said: "The intrusion occurred though a misconfigured web application firewall that enabled access to the data."

According to court documents, the suspect told another Twitter user: "I've basically strapped myself with a bomb vest, f***ing dropping Capital One's dox and admitting it."

Capital One CEO Richard Fairback said in a statement: "While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened. I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."

Read more: Cybersecurity: Why it's 'hard to protect yourself' online

Growing issue

The Capital One data breach comes a week after Equifax, a US credit monitoring agency, agreed to pay out up to $700 million (€629 million) for a data breach that exposed the personal information of more than 145 million customers.

Authorities are still debating if and how companies should be held responsible for data breaches, especially when the personal data of millions of citizens is compromised.

What do we know about the suspect? She is a former software engineer for a Seattle-based technology company. She shared the data on the code-hosting website GitHub.

What happens next? If the suspect is found guilty, she faces up to five years in prison and a fine of up to $250,000. Capital One said it would provide free credit monitoring and identity protection for those affected.

Read more: Estonia buoys cyber security with world's first data embassy

Every evening, DW's editors send out a selection of the day's hard news and quality feature journalism. You can sign up to receive it directly here.

ls/rt (AP, AFP)