DOJ files 7 new charges against alleged Capital One hacker

The U.S. Department of Justice (DOJ) has filed seven new charges against Paige Thompson, the former Amazon Web Services (AWS) engineer accused of hacking Capital One and stealing the personal data of more than 100 million Americans.

The new charges, which include six counts of computer fraud and abuse and one count of access device fraud, were revealed in court documents filed earlier this month, obtained by The Record. The previous indictment charged Thompson with one count each of wire fraud and computer crime and abuse, which meant she faced five up to five in prison and a fine of up to $250,000. As a result of the additional charges, Thompson now faces up to 20 years of jail time.

The superseding indictment has also expanded the number of victimized companies from the four listed in the 2019 indictment to eight. In addition to Capital One, a U.S. state agency, a U.S. public research university and an international telecommunications conglomerate, the list now includes a data and threat protection company, an organization that specializes in digital rights management (DRM), a provider of higher education learning technology, and a supplier of call center solutions. The companies have not been named, but security firm CyberInt previously said that Vodafone, Ford, Michigan State University and the Ohio Department of Transportation may all be victims of the breach.

Thompson, who used the handle “erratic” online and was identified after boasting about her activities on GitHub, remains accused of using her knowledge from her previous employment as a software engineer at Amazon to create a program that identified which customers of a cloud computing company (the indictment doesn’t name the company, but it has been identified as Amazon Web Services) had misconfigured firewalls. Once the tool found its target misconfiguration, Thompson allegedly exploited it to extract privileged account credentials.

The prior indictment alleges that once Thompson gained access to victims’ cloud infrastructure using the stolen credentials, she then accessed and downloaded data to a server at her residence in Seattle. It remains unclear whether any of the information was passed to third parties.

In the case of the Capital One breach, which the company confirmed in July 2019, the stolen data comprised 106 million credit card applications, which included names, addresses, phone numbers, and dates of birth, along with 140,000 Social Security numbers, 80,000 bank account numbers, and some credit scores and transaction data. Capital One, which replaced its cybersecurity chief four months after the incident, was fined $80 million in August 2020 for the security breach and its failure to keep its users’ financial data secure.

Prosecutors also allege that Thompson copied and stole data from at least 30 entities in total that used the same cloud provider, and claim that, in some cases, she used this access to set up cryptocurrency mining operations using victims’ cloud computing power – a practice known as cryptojacking.

Thompson pleaded not guilty and was released on pre-trial bond in August 2019. She was initially set to face trial in November 2019, but the trial was delayed to March 2020 due to the huge amount of information the prosecution had to analyze.

The trial was later rescheduled to October 2020 due to the pandemic, then to June 2021, then October 2021, and now to March 14, 2022, with prosecutors still citing the need for more time to analyze the data collected from Thompson’s devices.