Alleged Capital One hacker faces 20 years in prison for stealing 100 million customers’ data
By Moira Ritter, CNN Business
The US Justice Department has filed additional charges against the hacker accused of illegally accessing more than 100 million Capital One customers’ accounts and credit card applications in 2019.
Paige Thompson, a former Amazon engineer, now faces six counts of computer fraud and abuse, one count of access device fraud and one count of aggravated identity theft in addition to the original two charges. The superseding indictment also lists four additional victims of Thompson’s hacking. She could serve up to 20 years in prison.
In 2019, Thompson allegedly gained access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, in addition to people’s names, addresses, credit scores, credit limits, balances, and other information in, according to the bank and the US Department of Justice. The hack marked one of the largest data breaches in history.
Following the incident, Capital One entered into consent orders with the Fed and the Office of the Comptroller of Currency. The Fed then filed a cease and desist order, laying out steps the bank needed to take to improve its security, while the Office of the Comptroller of Currency filed an $80 million civil penalty against the bank.
In addition to accessing data, the Justice Department also alleges that Thompson shared details of the hack online.
The Department of Justice said Thompson posted about the tools she used to hack Capital One on GitHub, a software development site where programmers can post projects, using her full first, middle and last names.
The complaint also includes screenshots of a Slack channel in which Thompson, under the alleged alias “erratic,” posted a list of Capital One files she claimed to possess and explained how she extracted the files.
“I wanna get it off my server that’s why Im archiving all of it lol,” Thompson allegedly posted on Slack.
The agency also alleges that Thompson made statements on other social media platforms about possessing Capital One data, listing a Twitter handle that allegedly belonged to Thompson, @0xa3a97b6c in the complaint. The account has since been suspended.
“Ive basically strapped myself with a bomb vest, f—ing dropping Capital One’s dox and admitting it,” Thompson allegedly wrote in a private message via Twitter.
Thompson’s private Twitter messages also included references to distributing the names, Social Security numbers and dates of birth for the customers whose records she breached, according to the Justice Department.
Thompson’s trial, which has been postponed several times for further discovery and because of the pandemic, is now set for March 14, 2022.
The-CNN-Wire
™ & © 2021 Cable News Network, Inc., a WarnerMedia Company. All rights reserved.