The Department of Justice said today that a federal grand jury has indicted software engineer Paige Thompson on two counts related to the Capital One data breach that affected more than 100 million customers. The charges in the indictment carry penalties of up to 25 years in prison. Thompson will be arraigned in U.S. District Court in Seattle on September 5.
Thompson allegedly created software that allowed her to see which customers of a cloud computing company (the indictment does not name the company, but it has been identified as Amazon Web Services) had misconfigured their firewalls and accessed data from Capital One and more than other 30 companies.
Much of the information in today’s indictment was already included in the FBI’s criminal complaint filed in July. In the indictment, however, the Department of Justice includes the new allegation that Thompson used the cloud servers she allegedly breached for cryptojacking. Though Thompson had previously made references to cryptojacking, or stealing someone else’s processing power to mine cryptocurrencies, in Slack messages reported by Forbes, today’s indictment does not contain new evidence about why the Department of Justice is making those claims.
Research has found that cryptojacking may be on the rise, in part because many organizations do not have adequate security measures in place.
In its statement, the Department of Justice said it has identified some of the victims of the data breach, including a state agency, a public research university located outside Washington state and a telecommunications conglomerate outside of the U.S. The indictment did not name the victims, but security firm CyberInt has said that Vodafone, Ford, Michigan State University and the Ohio Department of Transportation may all be victims of the data breach, which also included 106 credit card applications and files copied from a cloud server by Thompson.