At the end of July, the FBI arrested a 33-year-old woman in Seattle in connection with a massive data breach at financial services firm Capital One.
33-year-old software engineer Paige Thompson, who also went by the online handle of “erratic”, was suspected of breaking into Amazon Web Services (AWS) servers used by Capital One, and stealing data related to 100 million credit card applications.
Prosecutors said that the breach included 140,000 social security numbers and 80,000 bank account numbers, culled from the many millions of card applications.
Capital One blamed the security breach on a “configuration vulnerability”.
In the latest development of this ongoing investigation, Thompson has been charged in relation to not just hacking Capital One, but a further 30 organisations. And in some cases, according to an indictment unsealed yesterday, the former Amazon systems engineer exploited servers at hacked companies to mine cryptocurrency.
The indictment alleged that Thompson exploited the fact that certain Amazon cloud customers had “misconfigured web application firewalls on the servers”, and that this misconfiguration was exploited to “obtain credentials for accounts of those customers that had permission to view and copy data stored by the customers on their Cloud Computing Company servers.”
The indictment continues to allege that Thompson used those stolen credentials to access and copy other data stored on the Amazon cloud servers, including personal identifying information, and offers a motive:
“The object also was to sue the access to the customers’ servers in other ways for Paige A Thompson’s own benefit, including by using those serves for ‘cryptojacking’.”
Regular readers of Hot for Security will be all too familiar with the rapid rise of cryptojacking, where computer power can be stolen by unauthorised parties to “mine” for cryptocurrency. Most users’ experience of cryptojacking has been within their web browser, but it’s just as possible – and indeed even more attractive – for the persons doing the cryptomining to take advantage of the increased processing power offered by servers.
Other than Capital One, none of the victim organisations have been named – although some have been loosely described as a public research university, a telecoms conglomerate, and a state agency.
Thompson is schedule to be arraigned on September 5 2019, and – if eventually convicted of the charges – could face up to 25 years in prison.
Ironically, investigators were directed towards Thompson as a suspect after an acquaintance of hers warned Capital One that stolen data had been published on Github.
The name associated with the Github account? “paigeadelethompson.”