Paige Thompson, a software engineer in Seattle, hacked into a server for Capital One and obtained the personal information for over 100 million people, federal prosecutors said yesterday.
In one of the largest thefts of data from a bank, Thompson, 33, boasted online as she left a trail for investigators, her court documents revealed. She was arrested and charged with one count of computer fraud and abuse.
RELATED STORY:
She was not shy about her work as a hacker. Her activity on Meetup caught the eye of the FBI, who then began tracing her other online activities. The trail led them to posts she had made on Slack and Twitter describing data theft.
Ms. Thompson formerly worked for Amazon Web Services, the host for the Capital One data that was compromised. She is listed on Meetup as the organizer of a group called Seattle Warez Kiddies, described as a meeting place for “anybody with an appreciation for distributed systems, programming, hacking, cracking.” According to prosecutors, Ms. Thompson, whose online name was “erratic,” wrote in a post on Slack:
“I’ve basically strapped myself with a bomb vest, dropping capital ones dox and admitting it.”
Court papers and Capital One, the nation’s third largest credit card issuer, revealed that Ms. Thompson stole 140,000 Social Security numbers and 80,000 bank account numbers in the breach.
RELATED STORY:
In addition to stealing tens of millions of credit card applications from as early as 2005 to the present, the data breach also affected consumers in Canada. Investigators said one million Canadian social insurance numbers (equivalent to US social security numbers) were stolen. The bank said in a statement:
“Based on our analysis to date. we believe it is unlikely that the information was used for fraud or disseminated by this individual.”
Amazon Web Services hosts the remote data servers that companies use to store their information. However, large enterprises like Capital One build their own web applications on top of Amazon’s cloud data. This allows them to use the information in ways that specifically fit their needs.
According to the FBI agent who investigated the breach, Ms. Thompson was able to reach the sensitive data through a “misconfiguration” of a firewall on a web application. That allowed her to access the Capital One server and get her hands on customer files.
RELATED STORY:
FBI agents executed a search warrant on Ms. Thompson’s house on Monday. Prosecutors said they seized “numerous digital devices.” On these devices they found “items that referenced Capital One” and Amazon, which they referred to in the complaint only as the “cloud computing company.”
Capital One’s chief executive Richard D. Fairbank said in a statement:
“I am deeply sorry for what has happened. I sincerely apologize for the understandable worry this incident must be causing those affected, and I am committed to making it right.”
Capital One said the bank account numbers that were stolen came from customers with “secured” credit cards. Secured cards require customers to put forth a sum of money ($200 or $250) in order to get the card. Matt Schulz, an analyst for the company said:
“It’s a way for banks to minimize the risk associated with lending to folks who don’t have perfect credit or who are just getting started. These customers are vulnerable, and often have very little financial margin for error.”
Even though the breach occurred because of a security lapse by Capital One, Ms. Thompson’s knowledge of Amazon’s hosting platform aided her criminal endeavor. According to court papers, she once worked as an engineer for the company.
RELATED STORY:
Ms. Thompson has a hearing on Thursday, and will remain in federal custody until then. Her lawyer has declined to comment.
Security breach concerns are a constant, and costly threat for the financial industry. Jamie Dimon, the chief of JPMorgan Chase, has said that his bank spends almost $600 million a year on security. Bank of America’s chief has said that his bank has a “blank check” for cybersecurity.
On May 13, Ms. Thompson enthusiastically posted on Meetup about hacking, saying:
“I’ve been meaning to put together something like a hack night or somethng soon. It’s been a crazy past two weeks, and my cat had to go to the vet everyday last week but she’s finally starting to recover maybe this wednesday in capitol hill? I’ll do an all day thing at starbucks until they close, I’ve got nothing better to do.”
Capital One said in a statement that it had “immediately fixed the configuration vulnerability” once it discovered the problem. Amazon said it had found no evidence that its underlying cloud services were compromised.