Woman charged in Capital One data breach that affected more than
100 million
By Dana Mattioli, Robert McMillan and Sebastian Herrera
This article is being republished as part of our daily
reproduction of WSJ.com articles that also appeared in the U.S.
print edition of The Wall Street Journal (July 31, 2019).
The 33-year-old woman accused of executing one of the
largest-ever data thefts at a bank showed strange behavior online
in recent months, at times bragging about her exploits and
discussing deep struggles in her personal life.
Paige Adele Thompson was arrested in her home city of Seattle on
Monday, charged with stealing data from Capital One Financial Corp.
involving more than 100 million credit-card customers and
applicants.
In an unusual twist, Ms. Thompson is a former employee at
Amazon.com Inc.'s cloud division responsible for running much of
Capital One's information-technology infrastructure. The heist
stands out not only as a massive bank breach but a rare instance in
which a former employee of Amazon has been charged with hacking one
of the company's own customers.
Giant corporate breaches typically have been the work of
criminal teams, sometimes with ties to national governments.
Prosecutors and people familiar with Ms. Thompson describe her as a
lone wolf who appeared to be self-destructing while acknowledging
online she had acted illegally.
"I've basically strapped myself with a bomb vest, f*cking
dropping capitol [sic] ones dox and admitting it," she wrote last
month in direct messages on Twitter, according to prosecutors. She
also said in the Twitter messages that the documents she obtained
contained social security numbers, full names and dates of
birth.
The Federal Bureau of Investigation said it seized digital
devices from Ms. Thompson's home that not only referenced Capital
One but other companies that may have been targeted. She has been
charged with computer fraud and abuse for accessing Capital One's
servers without authorization.
A lawyer for Ms. Thompson couldn't be reached for comment. A
detention hearing is scheduled Thursday in federal court in
Seattle.
The bulk of the exposed data involves information submitted by
customers and small businesses that applied for Capital One credit
cards between 2005 and early 2019, the bank said, including
addresses, dates of birth and self-reported income.
Social media posts, including from a Twitter account Ms.
Thompson launched last month under the handle "erratic," varied
between mourning the loss of her cat to discussing the difficulties
of being transgender and of experiencing homelessness. In one tweet
from early July, weeks before her arrest, she tweeted that she was
checking herself into a mental-health facility.
Ms. Thompson changed her name in 2009 from Trevor Allen
Thompson, according to a legal document filed in King County
District Court in Seattle.
Cybersecurity professional Jackie Singh said she has known Ms.
Thompson through online forums including Twitter and had been
communicating with her for several weeks. Ms. Singh said Ms.
Thompson told her she had been supporting herself by hacking Amazon
cloud customers and using the services they had purchased to mine
cryptocurrencies such as Ethereum and Monero.
Aife Dunne, a software developer in Colorado Springs, Colo.,
said she met Ms. Thompson in December through an internet chat
service where the two kept in touch regularly until about a month
ago. Ms. Dunne said that Ms. Thompson often chatted in messages
about her struggles as a transgender woman and about being
unemployed. Ms. Dunne said Ms. Thompson never discussed Capital
One.
Ms. Thompson worked at Amazon Web Services from 2015 to 2016,
spending time working on one of AWS's flagship products, Simple
Storage Service, or S3. A résumé Ms. Thompson posted on the digital
documents service Scribd says that she was a Level 4 employee,
which would be considered a junior employee according to Amazon's
internal ranking system. AWS is the last job listed on Ms.
Thompson's resume. Amazon declined to comment on the circumstances
of her departure.
Prosecutors said Ms. Thompson's efforts to breach Capital One's
systems began as early as March 12. She allegedly used a virtual
private network and an anonymous web browser called Tor to shield
her identity while attempting to access the bank's data on Amazon's
servers. Prosecutors said Capital One failed to fully secure its
firewall -- the mechanism designed to wall off data inside Amazon
Web Services -- from outside incursion.
Observers are trying to ascertain the degree to which Ms.
Thompson leveraged knowledge gleaned inside Amazon to allegedly
launch the attack. A person familiar with the investigation said
that on March 22, Ms. Thompson used a unique series of commands to
first gain access to Capital One's firewall and then obtain the
credentials needed to extract millions of records stored at Amazon.
It is possible that her Amazon experience helped her to develop
this technique more quickly, the person said. Amazon declined to
comment.
Between her first alleged intrusion and April 21, Ms. Thompson
downloaded 106 million applications, prosecutors said. Although
much of the data was protected by encryption, it was a treasure
trove of personal information including 120,000 social security and
77,000 bank-account numbers.
The data breach was complete as unsuspecting Capital One
executives prepared for the company's first-quarter earnings
released days later. On the analyst call, Capital One's founder and
CEO, Richard Fairbank, answered a series of questions about the
company's move into the cloud, which he called "big news" as it
expected to finish the move from its own data centers by the end of
next year.
In early June, Ms. Thompson tweeted that she expected to soon be
in the public spotlight: "I'd give it at least two [weeks] before
they find out who I am and the whole internet demands that I be
banned."
Ms. Thompson participated in an online discussion group hosted
by the collaboration company Slack Inc. where, on June 26, she
posted a description of the steps she said she was taking to
obscure her identity while hacking, prosecutors said. The next day
she "posted about several companies, government entities and
educational institutions," according to the Justice Department's
criminal complaint.
One of the group's participants responded: "don't go to jail
plz."
On July 17, Capital One received an email with the subject line
"Leaked s3 data" to an account it set up for people to report
possible vulnerabilities with its site or products, according to
the federal complaint. The sender, with which the bank said it had
no prior contact, directed Capital One to an account on coding
platform GitHub that was linked to Ms. Thompson. The email ended
with an offer to help track the hacker down.
Capital One investigated the GitHub file, which had an April
timestamp, and found more than 700 folders or buckets of data, the
complaint said. On July 19, Capital One confirmed that the breach
had taken place and contacted the FBI, according to a person
familiar with the matter. The bank also handed over its dossier on
Ms. Thompson that it had compiled during its investigation to
authorities, the person said.
Ms. Thompson's behavior might seem strange to outsiders --
allegedly taking steps to conceal her identity while hacking
Capital One, and then talking about her exploits publicly. But it
is "not that uncommon in the hacker community that individuals brag
about their accomplishments to seek recognition from their peers,"
said Steven Masada, assistant U.S. attorney for the Western
District of Washington.
"When a hacker becomes marginalized and they live on the fringe
of society with a certain amount of knowledge and a certain amount
of power, you want to make sure that they're channeling that energy
into something that is creative and not destructive," said Ms.
Singh, chief executive of Spyglass Security Consulting LLC, who
runs an online community called InfosecJobs.world.
Ms. Thompson's résumé shows that she jumped from job to job in
recent years. The résumé lists three-month to two-year stints in
engineering at Onvia Inc., the now-closed Zion Preparatory Academy
in Seattle and Acronym Media Inc., among other employers.
"I sensed that she was just angry," said Alex Branning, CEO of
The Branning Group, a digital marketing agency. Mr. Branning's firm
employed Ms. Thompson as a contractor in early 2011 before
terminating the relationship, and she recently reached him through
LinkedIn to ask if he had projects for her to work on, he said.
Onvia has since been sold. Acronym confirmed that Ms. Thompson
worked remotely for the digital marketing agency for a 2 1/2 months
in 2011 but was terminated for poor work quality.
--Nicole Hong contributed to this article.
Write to Dana Mattioli at dana.mattioli@wsj.com, Robert McMillan
at Robert.Mcmillan@wsj.com and Sebastian Herrera at
Sebastian.Herrera@wsj.com
(END) Dow Jones Newswires
July 31, 2019 02:47 ET (06:47 GMT)
Copyright (c) 2019 Dow Jones & Company, Inc.
Capital One Financial (NYSE:COF)
Historical Stock Chart
From Jun 2024 to Jul 2024
Capital One Financial (NYSE:COF)
Historical Stock Chart
From Jul 2023 to Jul 2024