Industry News

Ex-Amazon worker suspected of hacking Capital One, faces charges of breaching 30 other companies to mine cryptocurrency

At the end of July, the FBI arrested a 33-year-old woman in Seattle in connection with a massive data breach at financial services firm Capital One.

33-year-old software engineer Paige Thompson, who also went by the online handle of “erratic”, was suspected of breaking into Amazon Web Services (AWS) servers used by Capital One, and stealing data related to 100 million credit card applications.

Prosecutors said that the breach included 140,000 social security numbers and 80,000 bank account numbers, culled from the many millions of card applications.

Capital One blamed the security breach on a “configuration vulnerability”.

In the latest development of this ongoing investigation, Thompson has been charged in relation to not just hacking Capital One, but a further 30 organisations. And in some cases, according to an indictment unsealed yesterday, the former Amazon systems engineer exploited servers at hacked companies to mine cryptocurrency.

The indictment alleged that Thompson exploited the fact that certain Amazon cloud customers had “misconfigured web application firewalls on the servers”, and that this misconfiguration was exploited to “obtain credentials for accounts of those customers that had permission to view and copy data stored by the customers on their Cloud Computing Company servers.”

The indictment continues to allege that Thompson used those stolen credentials to access and copy other data stored on the Amazon cloud servers, including personal identifying information, and offers a motive:

“The object also was to sue the access to the customers’ servers in other ways for Paige A Thompson’s own benefit, including by using those serves for ‘cryptojacking’.”

Regular readers of Hot for Security will be all too familiar with the rapid rise of cryptojacking, where computer power can be stolen by unauthorised parties to “mine” for cryptocurrency. Most users’ experience of cryptojacking has been within their web browser, but it’s just as possible – and indeed even more attractive – for the persons doing the cryptomining to take advantage of the increased processing power offered by servers.

Other than Capital One, none of the victim organisations have been named – although some have been loosely described as a public research university, a telecoms conglomerate, and a state agency.

Thompson is schedule to be arraigned on September 5 2019, and – if eventually convicted of the charges – could face up to 25 years in prison.

Ironically, investigators were directed towards Thompson as a suspect after an acquaintance of hers warned Capital One that stolen data had been published on Github.

The name associated with the Github account? “paigeadelethompson.”

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

Add Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.