A former Amazon Web Services employee has been charged with one count of computer fraud and abuse for hacking into the personal data of 100 million applications of the financial services firm Capital One. The suspect, 33 year-old Seattle-based software engineer Paige Thompson, broke into a Capital One server and accessed one hundred and forty thousand Social Security numbers, one million Canadian insurance numbers and eighty thousand bank account numbers. Thompson was able to gain access through Amazon’s cloud data hosting service which Capital One was using. According to the court filing, got into the server by exploiting a misconfigured web application firewall.
Capital One wrote about the extent of the data accessed saying, “The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.”
According to Capital One, “Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised.” Capital One CEO, Richard Fairbank said in a statement, “While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened, I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
Thompson was arrested on Monday, and many details are being revealed about who she is and why she is suspected of the crime. On Meetup, a website for hosting group gatherings, she organized a group called Seattle Warez Kiddies, described as a group for, “anybody with an appreciation for distributed systems, programming, hacking, cracking,” however the group has been taken down from the site. The New York Times wrote that, “The F.B.I. noticed her activity on Meetup and used it to trace her other online activities, eventually linking her to posts describing the data theft on Twitter and the Slack messaging service.”
Thompson went by the name “erratic” online and often posted information about herself. The New York Times found that, “She commented often on programming chatter, fretted about her dating life and mourned the euthanasia of her cat, Millie. Millie’s death, she wrote, was “one of the most painful and emotionally overwhelming experiences I’ve had in my life.”
But Ms. Thompson also spoke darkly about her mental health, writing on July 5 that she intended to check herself into a facility for treatment. “I have a whole list of things that will ensure my involuntary confinement from the world,” she wrote. “The kind that they can’t ignore or brush off onto the crisis clinic. I’m never coming back.”
The FBI was able to link her to the crime by following the posts she made on online, in one case even mentioning Capital One saying, “I’ve basically strapped myself with a bomb vest,” Ms. Thompson wrote in a Slack post, “dropping Capital One’s dox and admitting it.”
Thompson’s hearing is on Thursday and will remain in Federal custody until then.