Capital One Breach Suspect Faces New Criminal ChargesPaige Thompson Now Could Face Up to 20 Years in Federal Prison If Convicted
Federal prosecutors have filed seven new criminal charges against Paige A. Thompson, who's accused of breaching Capital One bank in 2019. The breach compromised the personal data of 100 million Americans, exposing hundreds of thousands of Social Security numbers.
See Also: Case Study: The Road to Zero Trust
Thompson, who is free while awaiting trial and has pleaded not guilty, now faces up to 20 years in federal prison if convicted of the federal charges, according to a superceding indictment filed this week by the U.S. Department of Justice.
Prosecutors and defense attorneys agreed to postpone any trial until April 2022, according to court documents. Since Thompson's arrest in 2019, her trial, to be held in federal court in Seattle, has been delayed several times over issues ranging from the amount of evidence in the case that needs to be reviewed by both sides to the COVID-19 pandemic.
New Charges and Victims
The new charges filed in the case against Thompson include six counts of computer fraud and abuse and one count of access device fraud. Prosecutors originally charged Thompson with one count each of wire fraud and computer crime and abuse.
The superceding indictment also describes some of the other organizations that Thompson allegedly breached in 2019, including four unnamed technology companies that all used the same cloud computing service provider.
While the cloud computing host referenced in the superseding indictment has not been named, Thompson worked for Amazon Web Service's Simple Cloud Storage Service - aka Amazon S3 - from 2015 to 2016. Capital One has previously stated that it also uses AWS infrastructure.
Federal prosecutors allege that Thompson targeted about 30 organizations. Previously, court papers indicated that these included an unnamed state agency and a public research university as well as "a telecommunications conglomerate located outside the United States that provides services predominantly to customers in Europe, Asia, Africa and Oceania." (See: Paige Thompson Charged With Hacking 30 Organizations).
Alleged Attack Method
Federal prosecutors allege that Thompson, who lives in the Seattle area and used the handle "erratic," accessed Capital One's cloud-based repository of credit card applications after taking advantage of a misconfigured firewall.
Security experts have suggested that she may have discovered weaknesses in Capital One's implementation of the technology that allowed her to exfiltrate the data (see: Capital One Warns of More Data Leaked in 2019 Breach).
Thompson reportedly installed cryptocurrency mining software on several misconfigured servers. She also reportedly attempted to conceal her identity and location by using a virtual private networking service called iPredator as well as the anonymizing Tor network to access the cloud computing servers.
Capital One shared a notification and a letter to its customers in March, noting that following another internal investigation into the 2019 breach, the company learned that the incident could have exposed additional Social Security numbers - atop the 140,000 Social Security numbers and 80,000 linked accounts originally affected.
A notification and letter filed with California authorities in March did not specify how many additional Social Security numbers may have been exposed.
Capital One says that while there is no evidence that customers' Social Security numbers were used for fraud, the bank is offering an additional two years of prepaid credit monitoring for anyone who received the updated notice.
In August 2020, the U.S. Office of the Comptroller of the Currency, which is part of the U.S. Department of the Treasury, fined Capital One $80 million in connection with the breach.
At the time of the discovery, Capital One worked with law enforcement officials and released breach information on a webpage dedicated to the incident.
In May 2020, a federal judge ordered Capital One to turn over the results of a digital forensics investigation into the data breach - prompted by plaintiffs in a class action lawsuit that had been seeking release of the report. Plaintiffs in the U.S. have filed more than 60 class action lawsuits over the breach, which have since been consolidated into one case being heard by the U.S. District Court for the Eastern District of Virginia.