Federal Prosecutors Accuse Capital One Hacker of Hitting Dozens More Targets

The woman charged with hacking into millions of Capital One Financial Corp. records hit more than 30 other targets, federal prosecutors said, significantly expanding the scale of what was already considered one of the largest heists of data stored in the cloud.

Source: WSJ | Published on August 15, 2019

AT&T data breach impacts 73 million

Paige A. Thompson, a former Amazon.com Inc. employee, was arrested on July 29, and charged with stealing 106 million Capital One records in one of the largest-ever bank-data thefts. Ms. Thompson also stole multiple terabytes of data from more than 30 other companies, educational institutions and others, prosecutors said in a court filing Tuesday.

Ms. Thompson, who has remained in custody, is scheduled to appear at a bail hearing Aug. 22.

Prosecutors, citing Ms. Thompson’s past behavior, asked the court to deny bail out of concern she would “resort to threats, violence, or cybercrime.” They said Ms. Thompson had a “long history” of threatening to kill others and herself. Prosecutors also said they consider Ms. Thompson a flight risk.

In online discussion forums, Ms. Thompson expressed frustration over her 2016 dismissal from Amazon, and subsequent inability to find employment.

She claimed to earn money by installing cryptocurrency-mining software on some of the computer systems she accessed. Security experts who have viewed her posts said Ms. Thompson displayed a high level of technical knowledge on the inner workings of Amazon’s cloud.

Earlier this week, Ms. Thompson declined a request from The Wall Street Journal for an interview, relayed to her by prison officials. Her lawyer didn’t immediately respond to a request for comment on the latest accusations.

Ms. Thompson allegedly exploited a common cloud configuration problem to access the Capital One data. The bank has taken responsibility for not adequately securing its systems, but the incident also has raised questions about whether Capital One’s cloud-computing provider, Amazon, could do more to protect its customers. Amazon, the world’s largest cloud-computing company, has said that none of its services were the underlying cause of the break-in.

An Amazon spokesman on Wednesday said that the company is now running checks and alerting customers if they have the kind of firewall misconfiguration that Ms. Thompson allegedly exploited. “Other than Capital One, we haven’t yet heard from customers about a significant loss,” he said in an email.

Amazon is also considering additional changes that it can make to its cloud subsystems that will better protect its customers, the company said in a letter dated Wednesday and sent in response to questions about the breach raised last week by Sen. Ron Wyden (D., Ore.).

In a statement, Sen. Wyden said that while he appreciates the steps Amazon is taking to address these security issues, the company still needs to do more to protect its customers. “Without additional action, I fear we will continue to see repeats of the Capital One breach, with American consumers as the real victims,” he said.

Ms. Thompson’s alleged hack was discovered after she posted details about her hack online, leading a tipster to notify Capital One.

Prosecutors said they expect to add to the charges against Ms. Thompson for each additional entity hit. “Although not all of those intrusions involved the theft of personal identifying information, it appears likely that a number of the intrusions did,” prosecutors said.

The investigation into who exactly was targeted and what information was taken continues, they said.

The latest filings didn’t say whether all of the affected companies are Amazon customers.

In online postings viewed by the Journal, Ms. Thompson suggested she had accessed data at several other entities, including Ford Motor Co., UniCredit SpA, Italy’s largest bank, and Michigan State University. Ford said it wasn’t affected. UniCredit and Michigan State University have said they were investigating the incident.

The impact of Ms. Thompson’s crime, prosecutors said, “will be immense.” Capital One has said the data breach will cost it as much as $150 million. A Capital One spokeswoman didn’t immediately return messages seeking comment.

Prosecutors, in their latest court submission, also detail several of the run-ins Ms. Thompson had with law enforcement before her arrest last month.

In March, police were called to Ms. Thompson’s Seattle residence after she allegedly tried to strike a roommate. Police again were called to the house two months later after Ms. Thompson allegedly had threatened to “shoot up” the office of an unnamed California technology company, prosecutors said.