Breach Notification , Cloud Security , Cybercrime

Paige Thompson Charged With Hacking 30 Organizations

Thompson Accused of Stealing Data on 100 Million Americans From Capital One
Paige Thompson Charged With Hacking 30 Organizations
A two-count federal indictment charges Paige Thompson with hacking and cryptojacking and says she used the handle "erratic" online.

Suspected Capital One hacker Paige A. Thompson was indicted by a federal grand jury Wednesday on computer crime charges, including stealing data from at least 30 organizations and using hacked servers to mine for cryptocurrency.

See Also: Stop an Impending Attack in the Public Sector: Using a Threat Graph to Analyze Cyber Events

Thompson, a 33-year-old software engineer in Seattle who allegedly used the handle "erratic" online, was arrested last month on suspicion of accessing tens of millions of Capital One credit card applications after allegedly taking advantage of a misconfigured firewall, according to an earlier criminal complaint filed in Seattle federal court.

On Aug. 4, Capital One confirmed that data from 100 million U.S.-based individuals as well as 6 million individuals in Canada appeared to have been stolen.

Subsequent court documents filed by the U.S. Attorney's Office in Seattle revealed that investigators, after seizing servers from her home on July 29, had also found "multiple terabytes of data" allegedly stolen from more than 30 organizations between March and July.

Two-Count Indictment

The federal grand jury indictment charges Thompson with one count each of wire fraud and computer crime and abuse.

Federal indictment against Paige A. Thompson

The indictment alleges that from approximately March 12 to July 17, she hacked into a cloud computing service provider's servers and stole data "that contained information, including personal identifying information, from approximately 100 million customers who had applied for credit cards from Capital One." In the same time frame, Thompson allegedly also copied and stole data from at least 30 entities in total that used the same cloud provider.

Thompson allegedly also used her access to at least three victims' cloud computing servers to illegally mine for cryptocurrency - a practice known as cryptojacking.

The other victim organizations have not been named, although the indictment does describe some of the victims, referring to a state agency and a public research university - located in states other than Washington - as well as "a telecommunications conglomerate located outside the United States that provides services predominantly to customers in Europe, Asia, Africa and Oceania."

The charges in the indictment carry penalties of up to 25 years in prison. Thompson is due to be arraigned on the indictment on Sept. 5.

Misconfigured Firewalls

Thompson allegedly created tools for scanning servers hosted by an unnamed "cloud computing company" which victims had rented or contracted to use. That allowed her "to identify servers for which web application firewall misconfigurations permitted commands sent from outside the servers to reach and be executed by the servers," according to the indictment.

Federal investigators believe this is Paige A. Thompson's Twitter account. Twitter has suspended the account.

Subsequently, Thompson was able to issue commands to misconfigured servers that revealed account security credentials to her, which she used "to obtain lists or directories of folders or buckets of data in the cloud computing company customers’ storage space at the cloud computing company," from which she then copied data to servers stored at her residence, the indictment alleges.

Suspect Allegedly Used Tor, iPredator

Thompson attempted to conceal her identity and location by using a virtual private networking service called iPredator as well as using the anonymizing Tor network to access the cloud computing servers, according to the indictment.

Sweden-based iPredator, which is incorporated in Cyprus and owned by The Pirate Bay, didn't immediately respond to a request for comment on whether it assisted U.S. authorities with their investigation or plans to do so.

While the cloud computing host referenced in the indictment hasn't been named, Thompson worked for Amazon Web Service's Simple Cloud Storage Service - aka Amazon S3 - from 2015 to 2016. Because Capital One uses S3, security experts have suggested that she may have discovered weaknesses in Capital One's implementation while working at Amazon.

FBI Cites GitHub Boast

The Department of Justice says Thompson's arrest came after she allegedly bragged on code-sharing site GitHub - and potentially also social media outlets - that she'd stolen Capital One data. On July 17, an unnamed GitHub user warned Capital One that it may have suffered a data breach.

Capital One received this email tipping it off to the breach, according to the criminal complaint.

On July 19, Capital One says that it "determined that an outside individual gained unauthorized access and obtained certain types of personal information about Capital One credit card customers and individuals who had applied for our credit card products."

The FBI says it subsequently identified Thompson as the likely culprit.

Capital One Apologizes

Headquartered in Virginia, Capital One Financial Corp. is a financial holding company with subsidiaries - including Capital One N.A. and Capital One Bank (USA) N.A. - that had $254.5 billion in deposits and $373.6 billion in total assets as of June 30. After the breach came to light, the company quickly apologized for not preventing the hack attack (see: Capital One: Where Did the Bank Fail on Defense?).

"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," Richard D. Fairbank, chairman and CEO of Capital One, said of the alleged suspect's arrest. "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."

But there's potential good news for individuals whose data was exposed: "Investigators have found no evidence that Thompson sold or disseminated any of the information she accessed," the Justice Department says.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.