The software engineer allegedly behind one of the largest bank data breaches in history boasted about her hacking prowess online while obtaining personal information from more than 100 million Capital One credit applications, federal prosecutors said.
Paige A. Thompson, who used the online handle “erratic,” was charged Monday with a single count of computer fraud and abuse in federal court in Seattle after FBI officials linked her to online posts detailing the massive data theft on Twitter and Slack, court documents show.
“I’ve basically strapped myself with a bomb vest,” Thompson wrote on June 18, according to the criminal complaint. “F–king dropping capitol ones dox and admitting it.”
An FBI agent who led the investigation into Thompson, 33, said she was able to obtain the data via a “firewall misconfiguration” that allowed her to execute commands with a server that gave her access to data in Capital One’s storage space at a “Cloud Computing Company,” according to the criminal complaint.
That company was identified as Amazon by the New York Times, which also reported that Thompson previously worked for Amazon Web Services. She was listed as the organizer for a Meetup group called Seattle Warez Kiddies, an online hub for people who appreciate “distributed systems, programming hacking [and] cracking.”
An online tipster first contacted Capital One on July 17 about a potential vulnerability in its data, saying that leaked information appeared to be on a code-hosting site called GitHub. Two days later, bank officials confirmed the breach by an “outside individual” and the data copied from Capital One primarily included data related to credit applications, likely numbering in the tens of millions, the complaint states.
“Although some of the information in those applications (such as Social Security numbers) has been tokenized or encrypted, other information including applicants’ names, addressed, dates of birth and information regarding their credit history has not been tokenized,” the document reads. “According to Capital One, that data includes approximately 120,000 Social Security Numbers and approximately 77,000 bank account numbers.”
Ten days after Capital One was alerted to the vulnerability, Thompson posted about “several companies, government entities and educational institutions,” which an FBI Cyber Squad investigator said appeared to be references to other data breaches she “may have committed,” according to the complaint.
In one message on Slack, Thompson tried to downplay a message from another user who warned her to tread lightly, saying “don’t go to jail plz,” the complaint states.
“I wanna get it off my server that’s why Im archiving all of it lol,” Thompson replied, according to court papers. “Its all encrypted. I just don’t want it around though. I gotta find somewhere to store it.”
Thompson, who made her initial appearance Monday in federal court in Seattle, was ordered to remain in custody until a detention hearing on Thursday. Her court-appointed attorney did not immediately return a message seeking comment.
Thompson, meanwhile, has “made statements on social media evidencing the fact that she has information of Capital One, and that she recognizes that she has acted illegally,” according to the complaint, which said investigators ultimately confirmed her identity after she posted an estimate online that she received from a veterinarian about one of her pets.
In a statement released Monday, Capital One officials said the data breach impacted roughly 100 million people in the United States and 6 million in Canada.
No credit card account numbers or log-in credentials were compromised, but roughly 140,000 Social Security numbers of its credit card customers were obtained, or 20,000 more than the FBI’s estimate, according to bank officials.
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” Capital One chairman and CEO Richard Fairbank said. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
With Post wires
Source: Read Full Article