Naked Security Naked Security

Capital One cryptojacking suspect indicted

The former software engineer allegedly created scanners to look for misconfigured servers rented from a cloud computing company.

Paige Thompson – a 33-year-old woman from Seattle and former software engineer who allegedly turned cyber mega-attacker – has been indicted for the huge Capital One data breach discovered last month.

Capital One was just one of more than 30 entities targeted by her alleged attacks, according to a federal grand jury indictment that was announced on 28 August by the US Attorney’s Office for the Western District of Washington.

Thompson, who allegedly used the username “erratic” on social media, was also indicted for allegedly ripping off data from a cloud computing provider and a host of customers that rented its servers, including an unnamed state agency; a non-US-based telecom that provides service to users in Europe, Asia, Africa and Oceania; and a public research university.

As of Wednesday, law enforcement was still working to inform all of the victims whose data was accessed.

When we wrote up the Capital One breach at the end of July, this is what we knew about who was affected by the breach:

  • 100,000,000 users in the USA
  • 6,000,000 users in Canada
  • Any consumer or small business who applied for a credit card in the past 14 years (2005 to early 2019).
  • Personal data including names, addresses, zip codes, phone numbers, email addresses, dates of birth, income.

Some customers also had the following information stolen:

  • Credit scores, credit limits, balances, payment history, contact information and more.
  • Social security numbers (SSNs).
  • Bank account numbers linked to credit cards.

The silver lining is that the majority of customers didn’t lose SSNs in the breach – at the time, Capital One said that only 140,000 SSNs and 80,000 bank account numbers were acquired.

But the fact that any of those SSNs at all were available to be hacked away played into a class-action lawsuit that followed fast on the heels of the breach.

According to the lawsuit, both Capital One and GitHub – a code hosting platform for open-source software development version control that lets coders remotely collaborate on projects – broke the law by not keeping SSNs and other personal data offline.

GitHub was named because the attacker had posted details to the platform about stealing data from Capital One servers via a misconfigured firewall. The information was available on GitHub for over three months, until a bug hunter spotted it and notified Capital One.

When the lawsuit was filed in early August 2019, GitHub countered by saying that the file posted on GitHub didn’t contain any SSNs, bank account information, or any other reportedly stolen personal information. Capital One had asked GitHub to remove content containing information about the methods used to steal the data, which it says it promptly did.

Thompson is facing two charges: computer fraud and abuse, and wire fraud.

Attacker walked through holes in misconfigured firewalls

According to the indictment, Thompson allegedly created scanners to scan the publicly facing portion of servers rented or contracted through the unidentified cloud computer company. The scanners would pick out the servers whose companies had misconfigured their firewalls so as to allow outside commands to penetrate and get access.

That allegedly enabled Thompson to get security credentials for particular accounts and roles within the victimized organizations. From there, she allegedly got at folders or buckets of data in their storage space, and used the servers to mine cryptocurrency – a practice known as cryptojacking.

After spotting erratic’s post on GitHub, another GitHub user on 17 July 2019 alerted Capital One to the possibility that it had suffered a breach. Capital One notified the FBI, which traced the intrusion to Thompson. When agents executed a search warrant on 29 July, they seized electronic storage devices that were said to contain copies of the stolen data.

The DOJ says that investigators haven’t yet found evidence of Thompson having sold or disseminated any of the stolen data. If convicted, Thompson is facing a prison sentence of up to 25 years, though maximum penalties are rarely handed out.

To stay updated on the status of the Capital One breach, check in on the company’s breach notification site.

Leave a Reply

Your email address will not be published. Required fields are marked *