Capital One Hacking Suspect Showed Strange Online Behavior

In an unusual twist, Ms. Thompson is a former employee at

Amazon.com
Inc.

AMZN -0.73%

’s cloud division responsible for running much of Capital One’s information-technology infrastructure. The heist stands out not only as a massive bank breach but a rare instance in which a former employee of Amazon has been charged with hacking one of the company’s own customers.

Giant corporate breaches typically have been the work of criminal teams, sometimes with ties to national governments. Prosecutors and people familiar with Ms. Thompson describe her as a lone wolf who appeared to be self-destructing while acknowledging online she had acted illegally.

“I’ve basically strapped myself with a bomb vest, f*cking dropping capitol [sic] ones dox and admitting it,” she wrote last month in direct messages on

Twitter
,

according to prosecutors. She also said in the Twitter messages that the documents she obtained contained social security numbers, full names and dates of birth.

The Federal Bureau of Investigation said it seized digital devices from Ms. Thompson’s home that not only referenced Capital One but other companies that may have been targeted. She has been charged with computer fraud and abuse for accessing Capital One’s servers without authorization.

A lawyer for Ms. Thompson couldn’t be reached for comment. A detention hearing is scheduled Thursday in federal court in Seattle.

The bulk of the exposed data involves information submitted by customers and small businesses that applied for Capital One credit cards between 2005 and early 2019, the bank said, including addresses, dates of birth and self-reported income.

Social media posts, including from a Twitter account Ms. Thompson launched last month under the handle “erratic,” varied between mourning the loss of her cat to discussing the difficulties of being transgender and of experiencing homelessness. In one tweet from early July, weeks before her arrest, she tweeted that she was checking herself into a mental-health facility.

Ms. Thompson changed her name in 2009 from Trevor Allen Thompson, according to a legal document filed in King County District Court in Seattle.

Cybersecurity professional Jackie Singh said she has known Ms. Thompson through online forums including Twitter and had been communicating with her for several weeks. Ms. Singh said Ms. Thompson told her she had been supporting herself by hacking Amazon cloud customers and using the services they had purchased to mine cryptocurrencies such as Ethereum and Monero.

Aife Dunne, a software developer in Colorado Springs, Colo., said she met Ms. Thompson in December through an internet chat service where the two kept in touch regularly until about a month ago. Ms. Dunne said that Ms. Thompson often chatted in messages about her struggles as a transgender woman and about being unemployed. Ms. Dunne said Ms. Thompson never discussed Capital One.

Ms. Thompson worked at Amazon Web Services from 2015 to 2016, spending time working on one of AWS’s flagship products, Simple Storage Service, or S3. A résumé Ms. Thompson posted on the digital documents service Scribd says that she was a Level 4 employee, which would be considered a junior employee according to Amazon’s internal ranking system. AWS is the last job listed on Ms. Thompson’s resume. Amazon declined to comment on the circumstances of her departure.

Prosecutors said Ms. Thompson’s efforts to breach Capital One’s systems began as early as March 12. She allegedly used a virtual private network and an anonymous web browser called Tor to shield her identity while attempting to access the bank’s data on Amazon’s servers. Prosecutors said Capital One failed to fully secure its firewall—the mechanism designed to wall off data inside Amazon Web Services—from outside incursion.

Observers are trying to ascertain the degree to which Ms. Thompson leveraged knowledge gleaned inside Amazon to allegedly launch the attack. A person familiar with the investigation said that on March 22, Ms. Thompson used a unique series of commands to first gain access to Capital One’s firewall and then obtain the credentials needed to extract millions of records stored at Amazon. It is possible that her Amazon experience helped her to develop this technique more quickly, the person said. Amazon declined to comment.

Between her first alleged intrusion and April 21, Ms. Thompson downloaded 106 million applications, prosecutors said. Although much of the data was protected by encryption, it was a treasure trove of personal information including 120,000 social security and 77,000 bank-account numbers.

The data breach was complete as unsuspecting Capital One executives prepared for the company’s first-quarter earnings released days later. On the analyst call, Capital One’s founder and CEO, Richard Fairbank, answered a series of questions about the company’s move into the cloud, which he called “big news” as it expected to finish the move from its own data centers by the end of next year.

In early June, Ms. Thompson tweeted that she expected to soon be in the public spotlight: “I’d give it at least two [weeks] before they find out who I am and the whole internet demands that I be banned.”

Ms. Thompson participated in an online discussion group hosted by the collaboration company Slack Inc. where, on June 26, she posted a description of the steps she said she was taking to obscure her identity while hacking, prosecutors said. The next day she “posted about several companies, government entities and educational institutions,” according to the Justice Department’s criminal complaint.

One of the group’s participants responded: “don’t go to jail plz.”

On July 17, Capital One received an email with the subject line “Leaked s3 data” to an account it set up for people to report possible vulnerabilities with its site or products, according to the federal complaint. The sender, with which the bank said it had no prior contact, directed Capital One to an account on coding platform GitHub that was linked to Ms. Thompson. The email ended with an offer to help track the hacker down.

Capital One investigated the GitHub file, which had an April timestamp, and found more than 700 folders or buckets of data, the complaint said. On July 19, Capital One confirmed that the breach had taken place and contacted the FBI, according to a person familiar with the matter. The bank also handed over its dossier on Ms. Thompson that it had compiled during its investigation to authorities, the person said.

Ms. Thompson’s behavior might seem strange to outsiders—allegedly taking steps to conceal her identity while hacking Capital One, and then talking about her exploits publicly. But it is “not that uncommon in the hacker community that individuals brag about their accomplishments to seek recognition from their peers,” said Steven Masada, assistant U.S. attorney for the Western District of Washington.

“When a hacker becomes marginalized and they live on the fringe of society with a certain amount of knowledge and a certain amount of power, you want to make sure that they’re channeling that energy into something that is creative and not destructive,” said Ms. Singh, chief executive of Spyglass Security Consulting LLC, who runs an online community called InfosecJobs.world.

Ms. Thompson’s résumé shows that she jumped from job to job in recent years. The résumé lists three-month to two-year stints in engineering at Onvia Inc., the now-closed Zion Preparatory Academy in Seattle and Acronym Media Inc., among other employers.

“I sensed that she was just angry,” said Alex Branning, CEO of The Branning Group, a digital marketing agency. Mr. Branning’s firm employed Ms. Thompson as a contractor in early 2011 before terminating the relationship, and she recently reached him through LinkedIn to ask if he had projects for her to work on, he said.

Onvia has since been sold. Acronym confirmed that Ms. Thompson worked remotely for the digital marketing agency for a 2½ months in 2011 but was terminated for poor work quality.

—Nicole Hong contributed to this article.

Write to Dana Mattioli at dana.mattioli@wsj.com, Robert McMillan at Robert.Mcmillan@wsj.com and Sebastian Herrera at Sebastian.Herrera@wsj.com

Comments are closed.