Former software engineer indicted over Capital One data breach

Former software engineer indicted over Capital One data breach
© Getty

A federal grand jury formally indicted a former software engineer on Wednesday for breaching the sensitive data of more than 30 companies, including Capital One, affecting millions of Americans.  

Paige Thompson, a former Amazon employee, was charged with wire fraud as well as computer fraud and abuse for hacking into the networks of Capital One and multiple other unnamed entities earlier this year. If convicted, Thompson faces up to 25 years in prison. 

Thompson was arrested in July for allegedly stealing the personal information of more than 100 million U.S. Capital One customers and potential customers, including Social Security numbers and bank account numbers, and the data of an additional 6 million Canadian customers.  

ADVERTISEMENT

Thompson’s arrest came after she posted on GitHub about her theft of the data. Another user who saw the post subsequently alerted Capital One and the company then reached out to the FBI.

The indictment alleges that Thompson accessed this data through the use of “scanning software” that she created, which allowed her to identify the customers of a cloud computing company that had “misconfigured their firewalls.” Thompson also allegedly used stolen power from the computers accessed to “mine cryptocurrency for her own benefit.”

Capital One estimated that 14,000 Social Security numbers of credit card customers were accessed and about 80,000 linked bank account numbers of secured credit card customers were compromised, with around one million Social Security numbers of Canadian customers compromised. 

In announcing the indictment, the Justice Department noted that there is no evidence that Thompson sold or disseminated any of the stolen data.

Three of the other groups Thompson is alleged to have stolen data from are a telecommunications group based outside the U.S., a public research university, and a state agency. According to data compiled by cybersecurity group CyberInt, these groups may have been Vodafone, Michigan State University and the Ohio Department of Transportation. 

Thompson’s alleged theft of data from other entities came from information found on her personal server, with the The Associated Press reporting earlier this month that the information found on the server did not appear to include personal identifying information. 

The FBI is leading the investigation into the case. Thompson is scheduled to be arraigned on the indictment on Sept. 5 before the U.S. District Court of Western Washington. 

The indictment comes in the midst of legal trouble and other woes for Capital One itself, as the New York Attorney General’s Office pursues an investigation into the breach and congressional committees gear up to address the breach once members return from the August recess.