10 Things To Know About The Ex-AWS Worker Who Allegedly Hacked Capital One
Here's a deeper look at how Paige A. Thompson, 33, is alleged to have stolen the personal data of 106 million Capital One credit card applicants and users and how she ultimately ended up being arrested by authorities.
Catch Me If You Can
FBI agents Monday arrested Seattle software engineer Paige A. Thompson in connection with the spring 2019 breach of Capital One, which ended up exposing personal information from 106 million credit card applicants and customers in the U.S. and Canada.
A 12-page complaint against Thompson was filed by an FBI special agent Monday with the U.S. District Court for the Western District of Washington, charging her with computing fraud and abuse. Several hours later, Capital One put out a statement acknowledging the breach and explaining how it's expected to impact the McLean, Va.-based banking giant. U.S. Attorney Brian T. Morn also issued a statement on the breach.
"Capital One quickly alerted law enforcement to the data theft—allowing the FBI to trace the intrusion," Morn said in a statement. "I commend our law enforcement partners who are doing all they can to determine the status of the data and secure it."
Here's a look at how federal prosecutors say Thompson hacked Capital One and how she ultimately ended up being arrested by authorities.
10. Thompson Was An AWS Systems Engineer In 2015 And 2016
Thompson's GitHub profile includes a resume indicating that she previously worked as a systems engineer for a company that provides cloud computing services, according to the complaint. Although the complaint doesn't identify the company by name, sources familiar with the situation told CRN that the employer was Amazon Web Services.
Sources said Thompson left AWS roughly three years before Capital One was hacked. An online resume belonging to Thompson indicates that she worked as a software engineer, systems architect or systems administrator at seven primarily Seattle-area companies between 2005 and 2015 before joining AWS in the first half of that year.
Thompson also maintained a presence on Meetup, Slack and Twitter, incorporating the username "erratic" into her handle or profile, according to the complaint.
9. Thompson Faces Up To Five Years In Prison
Thompson has been charged by federal prosecutors with computer fraud and abuse for accessing without authorization a computer belonging to Capital One and obtaining information from the protected computer with a value in excess of $5,000. Computer fraud and abuse is punishable by up to five years in prison and a fine of $250,000, according to the U.S. Attorney's Office.
Thompson was investigated by FBI Special Agent Joel Martini, who is based in the agency's Seattle field office and specializes in computer intrusions and other cybercrimes. Martini has worked as a computer forensic examiner for the FBI for approximately five years.
Thompson made her initial appearance in U.S. District Court in Seattle Monday and has been detained pending a hearing Thursday, the U.S. Attorney's Office said. Thompson broke down and laid her head down on the defense table during Monday's hearing, according to a Bloomberg report.
8. Breach Will Cost Capital One At Least $100M In 2019 Alone
Thompson's alleged breach of Capital One will force the financial services giant to spend between $100 million and $150 million on customer notifications, credit monitoring, technology and legal support in 2019 alone. Capital One said its cyber risk insurance is subject to a $10 million deductible and carries a total coverage limit of $400 million.
Capital One's stock fell $3.92 (4.04 percent) to $93 per share in after-hours trading Monday. Bloomberg first reported on the breach shortly after 6 p.m. ET Monday, and Capital One disclosed the incident an hour later.
The company said it expects to accrue the costs for customer notification and credit monitoring in 2019. Capital One anticipates that any incremental investments in cybersecurity will be funded within the company's current budget.
7. Thompson Allegedly Posted On GitHub About Breaching Capital One
Information obtained from the Capital One intrusion has been posted on a GitHub page that included Thompson's full name as part of its digital address, according to the complaint. GitHub provides web hosting and allows users to manage and store revisions of projects.
Records obtained from Capital One also indicated that the IP addresses used by Thompson are controlled by prepaid VPN service provider IPredator, and were also used by Thompson to make postings on GitHub, the complaint alleged. Some of the GitHub postings were made very close in time to the intrusions, according to the complaint.
Statements made by Thompson on social media also indicate that she has information belonging to Capital One, the complaint alleged.
6. Thompson's Full Name Appears On The File Containing Leaked Data
Capital One maintains an email address through which it solicits disclosures of actual or potential vulnerabilities in its computer systems in an effort to avert breaches, according to the complaint. Ethical or "white hat" hackers are often the ones discovering and disclosing security vulnerabilities to vendors, the complaint said.
A previously unknown individual emailed Capital One on July 17 indicating that some of the company's leaked S3 data had been found in someone else's GitHub. S3 refers to Amazon Web Services' Simple Storage Service data storage software.
The address of the GitHub file containing the leaked data includes Thompson's full first, middle and last name, according to the complaint.
5. Thompson Allegedly Seized Upon A Firewall Misconfiguration To Go After Capital One
The complaint indicates that a firewall misconfiguration enabled Thompson to access folders or buckets of data in Capital One's AWS storage space. The GitHub file referenced in the vulnerability disclosure email was time-stamped April 21, 2019, and contained code for three commands as well as a list of more than 700 folders or buckets of data.
Taken together, the complaint said the commands made it possible for an adversary to obtain Capital One's credentials, list or enumerate folders or buckets of data, and extract data from certain folders or buckets. AWS itself wasn't compromised in any way, sources said, with Thompson allegedly gaining access due to a misconfiguration of the web application rather than the underlying cloud-based infrastructure.
The 700-plus folders and buckets listed in Thompson's April 21 GitHub file matched the actual names of folders or buckets of data used by Capital One for data stored at AWS, according to the complaint. The time stamp in Capital One's logs also matches the time stamp in the April 21 file, the complaint said.
4. Thompson Allegedly Connected To Capital One's Server Many Times This Year
Thompson connected or attempted to connect through the misconfigured firewall to Capital One's server on a number of occasions during March and April 2019, according to the complaint. The first attempt from Thompson's IP address to access Capital One's data occurred on March 12, and 10 days later, the IP address repeatedly asked for a list of the folders and buckets in Capital One's storage space.
Also on March 22, the complaint said information was obtained from Capital One's folders or buckets that contained credit card application data. The IP address used to execute a number of these commands is also controlled by IPredator, according to the complaint.
One of the files copied from Capital One's folders or buckets that day had never been accessed at any other point in 2019, according to the complaint. A month later, a list bucket command also belonging to IPredator was executed, the complaint said.
3. Thompson Allegedly Accessed Social Security And Bank Account Numbers
The data copied from Capital One's folders or buckets in the breach includes 1 million Canadian Social Insurance Numbers, 140,000 U.S. Social Security numbers, and 80,000 linked bank account numbers of Capital One customers, the company said.
Consumers and small businesses that applied for a Capital One credit card between 2005 and early 2019 had their name, address, ZIP code/postal code, phone number, email address, date of birth, and self-reported income accessed by Thompson, according to the company. Roughly 100 million people in the U.S. and 6 million people in Canada were affected by the breach, according to Capital One.
Although Capital One typically encrypts its data, the company said the circumstances of the hack also enabled the decrypting of data. However, Capital One said highly sensitive data fields such as Social Security numbers and account numbers were also tokenized, meaning that information in the field was substituted with a cryptographically generated replacement.
2. Thompson Allegedly Boasted About Her Exploits On Social Media
The complaint alleged that Thompson intended to disseminate data stolen from victim entities, starting with Capital One.
On June 18, the complaint said Twitter user "ERRATIC" (whose profile information matches Thompson) sent a direct message to the individual who reported the breach to Capital One, stating "Ive basically strapped myself with a bomb vest … dropping capital ones dox and admitting it. I wanna distribute those buckets I think first. There ssns…with full name and dob [sic]."
Nine days later, the complaint claims Slack user "erratic" (believed by authorities to be Thompson, according to the complaint ) responded to another person in the Slack channel, posting "don't go to jail plz" with "Im like > ipredator > tor > s3 on all this. .... I wanna get it off my server that's why I'm archiving all of it lol … I've also got a leak proof IPredator router setup if anyone nneds it [sic]."
The first sentence in Thompson's response describes how she allegedly breached Capital One.
1. Thompson Allegedly May Gone After Other Firms
FBI special agent Martini said in the complaint that he obtained a search warrant Friday to search Thompson's residence for evidence in the Capital One case. On Monday, Thompson and other FBI agents executed the search warrant, finding Thompson and four other individuals present at the residence.
Numerous digital devices were seized from the bedroom believed to belong to Thompson, according to the complaint. The complaint states an initial search of Thompson's devices turned up files and items that reference Capital One and AWS.
Items on Thompson's devices also referenced the "erratic" alias she uses on several online forums and networks, as well as other entities that may have been the targets of attempted or actual network intrusions, according to the complaint. Electronic storage devices containing a copy of the stolen data were seized, the U.S. Attorney's Office said.