Prosecutors Allege Capital One Suspect Stole From Many OthersNew Court Documents Describe What Was Found on Her Servers
Paige A. Thompson, who’s been arrested on a charge of hacking into Capital One's network and taking the personal and financial data of 106 million individuals, is also suspected of stealing information from over 30 other organizations, according to new court documents.
The documents filed by the U.S. Attorney's Office in Seattle that were unsealed this week reveal that an investigation into the servers taken from Thompson's home after her arrest in July found "multiple terabytes of data" allegedly stolen from companies, educational institutions and other organizations.
As a result, the U.S. Justice Department is now likely to bring additional charges against the 33-year-old Thompson, according to the documents.
Arrested on July 29, Thompson, who lives in the Seattle area, remains in federal custody on a charge of computer fraud and abuse, which carries a maximum penalty of a five-year prison term. The new court documents relate to whether Thompson will remain in jail pending her trial or whether she can be released under supervision. A federal judge has not yet ruled on prosecutors’ request that she remain in custody.
The intrusion into Capital One's network is considered one of the largest data thefts ever, although it’s not clear what Thompson planned to do with any of the data she allegedly stole, according to the court documents. Prosecutors say that Paige kept stolen data on her personal servers and did not make an attempt to sell it or post it online.
"The government notes that Thompson has represented that she neither sold, nor otherwise shared or disseminated any of the data that she stole (from Capital One or any other victim), and that the copy of the data that the government recovered during the search of Thompson’s residence is the only copy of the stolen data that she created. It is too early to confirm that this is the case," according to the new court papers.
The federal public defenders assigned to Thompson's case did not respond to a request for comment.
In the new court documents, federal prosecutors offer some additional details on the data theft from Capital One and how extensive the intrusion into the bank's network was.
Thompson allegedly accessed the credit card applications of 106 million individuals sometime between March and April of this year. Although most of the Social Security numbers that were exposed were encrypted, other information - such as applicants' names, addresses, dates of birth, and information about their credit history - was not, according to the documents.
Capital One is now facing 40 lawsuits in the U.S. as well as eight in Canada, according to the court documents. The bank estimates that the data theft will likely results in expenses totaling between $100 million and $150 million - and that number could swell to $500 million over time, according to the documents (see: Capital One Data Breach Spurs More Lawsuits).
Capital One's stock has lost 10 percent of its value over the last several weeks, prosecutors note.
Prosecutors say that the investigation "suggests that Thompson intruded into servers operated, rented or contracted by over 30 companies, educational institutions and other entities. Although not all of those intrusions involved the theft of personal identifying information, it appears likely that a number of the intrusions did."
How It Happened
Despite the revelations in the new court documents, it remains unclear how Thompson allegedly managed to bypass the bank's security.
In earlier court papers, the FBI noted that the investigation started when Capital One was tipped off that someone was copying and removing customer data that it stored within a cloud service. The bank used Amazon Web Services for its cloud infrastructure, and the data was stored within AWS Simple Storage Service, also known as an S3 bucket, according to news reports.
Some information related to the intrusion was uploaded to the code-sharing site GitHub, prosecutors say. That data uploading, as well as postings on social media, led the FBI to arrest Page, according to court documents.
Although the Capital One data was stored within a cloud-based database, the intrusion started with an attack in early March that focused on a misconfiguration within one of the bank’s web application firewall servers that allowed access to an administrative account by the name of *****-WAF-ROLE, according to the FBI. Once that was compromised, Paige allegedly found the S3 bucket and took the data from there.
Some security researchers believe that the intrusion at Capital One involved a server side request forgery, which is a type of web application vulnerability. If that's the case, it could explain how the data was removed from the Amazon S3 bucket (see: Capital One's Breach May Be a Server Side Request Forgery).
Capital One's Responsibility
Capital One needs to accept responsibility for the theft of its data and its failure to properly protect it, says Steve Katz, the world's first CISO and the founder and president of Security Risk Solutions LLC, an information security company.
The massive breach highlights the need to “get back to the fundamentals” of security, Katz said in an interview at Information Security Media Group's Cybersecurity Fraud Summit this week in New York.
Rather than blaming its cloud provider, Capital One must take responsibility because "it's your company and it's your name” that’s tied to the breach, Katz said. The bank must answer an important question, he adds: “What have you done to ensure that the third parties that you are using are at least consistent with the standards and practices and controls that you required internally?"
In the court documents, the U.S. Attorney's Office in Seattle is supporting the request from the U.S. Probation and Pretrial Services Office that Thompson remain in federal custody pending her trial.
In addition to asking the court to consider the charge against her, federal prosecutors allege that Thompson, who went by the Twitter handle "erratic," is a danger both to herself as well as others.
"Thompson has a long history of threatening behavior that includes repeated threats to kill others, to kill herself and to commit suicide by cop," according to the documents. "Thompson's threats have resulted in multiple calls to law enforcement and the entry of protection orders against Thompson. Thompson's crime in this case - major cyber intrusions that resulted in the theft of massive amounts of data from what now appears to be more than 30 victim companies - only exacerbates the harm that Thompson has done, and the threat she would pose if released."