Paige A. Thompson, the hacker who hacked Capital One bank in 2019 and stole the data of over 100 million customers, is facing fresh charges in the US for hacking into several other companies, including a US state agency, a public research university, a cyber security company, and a telecommunications conglomerate.
In 2019, Thompson, who was then a software engineer at Amazon Web Services (AWS), was indicted on two counts of wire fraud and computer fraud for hacking into a cloud server that stored data belonging to Capital One and thirty other companies. The 33-year-old was accused of creating scanning software to identify customers of a cloud computing company that had misconfigured its web application firewalls.
Using the custom software, Thompson allegedly accessed the cloud servers and stole vast amounts of data. She was also accused of using stolen computers to mine cryptocurrency for financial gain. The data exfiltration impacted dozens of companies whose data was stored in the targeted servers. The data of over 100 million customers of Capital One were also compromised because of her alleged activities.
Federal law enforcement agencies zeroed in on Thompson after Capital One discovered the data breach and notified the FBI. Thompson was herself responsible for her arrest as her involvement was discovered after she shared her exploits, which occurred between March 12 and July 17, 2019, with another user on the coding website GitHub.
According to Capital One, Thompson stole about 140,000 Social Security numbers and 80,000 linked bank account numbers belonging to about 100 million individuals in the United States and 6 million people in Canada. She was also accused of stealing phone numbers, credit scores, and about one million social insurance numbers of Capital One’s customers.
In August last year, the Office of the Comptroller of the Currency (OCC), a banking regulator in the US, fined Capital One $80 million (£61.3 million) for failing to prevent the breach of personal and financial records of upto 100 million customers in the US. OCC observed that Capital One failed to “establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment.”
Thompson’s woes are far from over, for according to The Record, the US Department of Justice has now slapped seven new charges on top of the two counts for which she was indicted in August 2019. The fresh charges include one count of access device fraud and six counts of computer fraud and abuse.
If she is found guilty, Thompson’s total sentencing could amount to twenty years in prison, instead of a maximum of five years she faced under the previous two counts. The only respite for her is that due to the COVID-19 situation and the addition of fresh charges, her trial has been postponed from October 2021 to March 14, 2022.