Published on July 31st, 2019 📆 | 5512 Views ⚑
0Capital One Hacking Suspect Showed Strange Online Behavior
The 33-year-old woman accused of executing one of the largest-ever data thefts at a bank showed strange behavior online in recent months, at times bragging about her exploits and discussing deep struggles in her personal life.
Paige Adele Thompson was arrested in her home city of Seattle on Monday, charged with stealing data from
Capital One Financial
Corp.
involving more than 100 million credit-card customers and applicants.
In an unusual twist, Ms. Thompson is a former employee at
Amazon.com
Inc.
âs cloud division responsible for running much of Capital Oneâs information-technology infrastructure. The heist stands out not only as a massive bank breach but a rare instance in which a former employee of Amazon has been charged with hacking one of the companyâs own customers.
Giant corporate breaches typically have been the work of criminal teams, sometimes with ties to national governments. Prosecutors and people familiar with Ms. Thompson describe her as a lone wolf who appeared to be self-destructing while acknowledging online she had acted illegally.
âIâve basically strapped myself with a bomb vest, f*cking dropping capitol [sic] ones dox and admitting it,â she wrote last month in direct messages on
Twitter
,
according to prosecutors. She also said in the Twitter messages that the documents she obtained contained social security numbers, full names and dates of birth.
The Federal Bureau of Investigation said it seized digital devices from Ms. Thompsonâs home that not only referenced Capital One but other companies that may have been targeted. She has been charged with computer fraud and abuse for accessing Capital Oneâs servers without authorization.
A lawyer for Ms. Thompson couldnât be reached for comment. A detention hearing is scheduled Thursday in federal court in Seattle.
The bulk of the exposed data involves information submitted by customers and small businesses that applied for Capital One credit cards between 2005 and early 2019, the bank said, including addresses, dates of birth and self-reported income.
Social media posts, including from a Twitter account Ms. Thompson launched last month under the handle âerratic,â varied between mourning the loss of her cat to discussing the difficulties of being transgender and of experiencing homelessness. In one tweet from early July, weeks before her arrest, she tweeted that she was checking herself into a mental-health facility.
Ms. Thompson changed her name in 2009 from Trevor Allen Thompson, according to a legal document filed in King County District Court in Seattle.
Cybersecurity professional Jackie Singh said she has known Ms. Thompson through online forums including Twitter and had been communicating with her for several weeks. Ms. Singh said Ms. Thompson told her she had been supporting herself by hacking Amazon cloud customers and using the services they had purchased to mine cryptocurrencies such as Ethereum and Monero.
Aife Dunne, a software developer in Colorado Springs, Colo., said she met Ms. Thompson in December through an internet chat service where the two kept in touch regularly until about a month ago. Ms. Dunne said that Ms. Thompson often chatted in messages about her struggles as a transgender woman and about being unemployed. Ms. Dunne said Ms. Thompson never discussed Capital One.
Ms. Thompson worked at Amazon Web Services from 2015 to 2016, spending time working on one of AWSâs flagship products, Simple Storage Service, or S3. A rĂŠsumĂŠ Ms. Thompson posted on the digital documents service Scribd says that she was a Level 4 employee, which would be considered a junior employee according to Amazonâs internal ranking system. AWS is the last job listed on Ms. Thompsonâs resume. Amazon declined to comment on the circumstances of her departure.
Prosecutors said Ms. Thompsonâs efforts to breach Capital Oneâs systems began as early as March 12. She allegedly used a virtual private network and an anonymous web browser called Tor to shield her identity while attempting to access the bankâs data on Amazonâs servers. Prosecutors said Capital One failed to fully secure its firewallâthe mechanism designed to wall off data inside Amazon Web Servicesâfrom outside incursion.
Observers are trying to ascertain the degree to which Ms. Thompson leveraged knowledge gleaned inside Amazon to allegedly launch the attack. A person familiar with the investigation said that on March 22, Ms. Thompson used a unique series of commands to first gain access to Capital Oneâs firewall and then obtain the credentials needed to extract millions of records stored at Amazon. It is possible that her Amazon experience helped her to develop this technique more quickly, the person said. Amazon declined to comment.
Between her first alleged intrusion and April 21, Ms. Thompson downloaded 106 million applications, prosecutors said. Although much of the data was protected by encryption, it was a treasure trove of personal information including 120,000 social security and 77,000 bank-account numbers.
The data breach was complete as unsuspecting Capital One executives prepared for the companyâs first-quarter earnings released days later. On the analyst call, Capital Oneâs founder and CEO, Richard Fairbank, answered a series of questions about the companyâs move into the cloud, which he called âbig newsâ as it expected to finish the move from its own data centers by the end of next year.
In early June, Ms. Thompson tweeted that she expected to soon be in the public spotlight: âIâd give it at least two [weeks] before they find out who I am and the whole internet demands that I be banned.â
Ms. Thompson participated in an online discussion group hosted by the collaboration company Slack Inc. where, on June 26, she posted a description of the steps she said she was taking to obscure her identity while hacking, prosecutors said. The next day she âposted about several companies, government entities and educational institutions,â according to the Justice Departmentâs criminal complaint.
One of the groupâs participants responded: âdonât go to jail plz.â
On July 17, Capital One received an email with the subject line âLeaked s3 dataâ to an account it set up for people to report possible vulnerabilities with its site or products, according to the federal complaint. The sender, with which the bank said it had no prior contact, directed Capital One to an account on coding platform GitHub that was linked to Ms. Thompson. The email ended with an offer to help track the hacker down.
Capital One investigated the GitHub file, which had an April timestamp, and found more than 700 folders or buckets of data, the complaint said. On July 19, Capital One confirmed that the breach had taken place and contacted the FBI, according to a person familiar with the matter. The bank also handed over its dossier on Ms. Thompson that it had compiled during its investigation to authorities, the person said.
Ms. Thompsonâs behavior might seem strange to outsidersâallegedly taking steps to conceal her identity while hacking Capital One, and then talking about her exploits publicly. But it is ânot that uncommon in the hacker community that individuals brag about their accomplishments to seek recognition from their peers,â said Steven Masada, assistant U.S. attorney for the Western District of Washington.
âWhen a hacker becomes marginalized and they live on the fringe of society with a certain amount of knowledge and a certain amount of power, you want to make sure that theyâre channeling that energy into something that is creative and not destructive,â said Ms. Singh, chief executive of Spyglass Security Consulting LLC, who runs an online community called InfosecJobs.world.
Ms. Thompsonâs rĂŠsumĂŠ shows that she jumped from job to job in recent years. The rĂŠsumĂŠ lists three-month to two-year stints in engineering at Onvia Inc., the now-closed Zion Preparatory Academy in Seattle and Acronym Media Inc., among other employers.
âI sensed that she was just angry,â said Alex Branning, CEO of The Branning Group, a digital marketing agency. Mr. Branningâs firm employed Ms. Thompson as a contractor in early 2011 before terminating the relationship, and she recently reached him through LinkedIn to ask if he had projects for her to work on, he said.
Onvia has since been sold. Acronym confirmed that Ms. Thompson worked remotely for the digital marketing agency for a 2½ months in 2011 but was terminated for poor work quality.
âNicole Hong contributed to this article.
Write to Dana Mattioli at dana.mattioli@wsj.com, Robert McMillan at Robert.Mcmillan@wsj.com and Sebastian Herrera at Sebastian.Herrera@wsj.com
Copyright Š2019 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
Gloss