Capital One Hacker: DOJ Files 7 New Charges

DOJ Adds Charges in Capital One Data Breach Case

The U.S. Department of Justice (DOJ) has expanded the legal case against Paige Thompson, a former engineer with Amazon Web Services (AWS). Seven new charges have been filed concerning the alleged hacking of Capital One and the subsequent theft of data belonging to over 100 million individuals.

Details of the New Indictment

These additional charges consist of six counts related to computer fraud and abuse, alongside one charge of access device fraud. Court records, recently obtained by The Record, detail these developments. Previously, Thompson faced charges of wire fraud and computer crime and abuse.

The original indictment carried a potential sentence of up to five years in prison and a fine reaching $250,000. However, with these new charges, Thompson could now face a maximum of 20 years imprisonment.

Expanded List of Affected Companies

The scope of the alleged data breach has also been broadened. The superseding indictment now lists eight victimized companies, an increase from the four initially identified in 2019.

Alongside Capital One, the affected entities include a U.S. state agency, a U.S. public research university, and an international telecommunications conglomerate. Further additions to the list are a data and threat protection firm, a digital rights management (DRM) specialist, a provider of educational learning technology, and a call center solutions supplier.

While the companies remain unnamed, CyberInt, a security firm, has suggested that Vodafone, Ford, Michigan State University, and the Ohio Department of Transportation may have been impacted by the breach.

Allegations Against Paige Thompson

Thompson, known online as “erratic,” was reportedly identified through boasts made on GitHub regarding her activities. She is accused of leveraging her prior experience as a software engineer at Amazon to develop a program.

This program was designed to identify customers of a cloud computing provider – identified as Amazon Web Services – who had improperly configured their firewalls. Upon discovering these vulnerabilities, Thompson allegedly exploited them to acquire privileged account credentials.

The initial indictment claims that, utilizing these stolen credentials, Thompson gained access to victims’ cloud infrastructure and subsequently downloaded data to a server located in Seattle. The extent to which this information was shared with third parties remains unknown.

Impact of the Capital One Breach

Capital One confirmed the breach in July 2019. The stolen data included information from 106 million credit card applications, encompassing names, addresses, phone numbers, and dates of birth.

Additionally, 140,000 Social Security numbers, 80,000 bank account numbers, and some credit scores and transaction data were compromised. Capital One replaced its cybersecurity chief four months after the incident and was fined $80 million in August 2020 for failing to adequately protect user financial data.

Further Allegations and Trial Delays

Prosecutors allege Thompson copied data from at least 30 entities utilizing the same cloud provider. In some instances, she is accused of using the compromised cloud computing power for cryptocurrency mining – a practice known as cryptojacking.

Thompson has entered a plea of not guilty and was released on bond in August 2019. The trial has faced multiple postponements.

Initially scheduled for November 2019, it was delayed to March 2020, then to June 2021, then October 2021. The current trial date is set for March 14, 2022, with prosecutors citing the ongoing need to analyze data recovered from Thompson’s devices.