[BreachExchange] New charges filed against Capital One hacker, trial postponed to 2022

Wed Jun 30 11:06:38 EDT 2021

https://therecord.media/new-charges-filed-against-capital-one-hacker-trial-postponed-to-2022/

The US government has filed a superseding indictment against Paige A.
Thompson, a former Amazon engineer accused of hacking Capital One and
stealing the personal data of more than 100 million Americans.

According to court documents filed earlier this month and obtained by The
Record, the US Department of Justice has added seven new charges on top of
the original two it filed in August 2019.

The new charges—six counts of computer fraud and abuse, and one count of
access device fraud—come as investigators have made headway in analyzing
data seized from Thompson’s computers and servers.

The superseding indictment has also expanded the number of victimized
companies from four listed in the 2019 indictment to eight, including:

   - Capital One
   - A US state agency
   - A telecommunications conglomerate located outside the US
   - A US public research university
   - A technology company that specializes in digital rights management
   (NEW)
   - A technology company that provides data and threat protection services
   (NEW)
   - A technology company that provides interaction-management solutions
   for customer interactions in call centers and other environments (NEW)
   - A technology company that provides higher education learning
   technology to educational institutions and other clients (NEW)

While new charges have been added, the timeline and events of Thompson’s
alleged actions remained the same.

US prosecutors said Thompson used her knowledge from her previous
employment at Amazon along with scripts to scan for Amazon Web Service
(AWS) servers where web application firewalls had been misconfigured.

Thompson allegedly accessed these systems and downloaded data onto a server
she kept at her residence. She also reportedly installed cryptocurrency
mining software on some of the misconfigured servers in order to generate
personal profits.

Prosecutors said Thompson downloaded more than 20 terabytes of data
belonging to more than 30 companies from all over the world.

Her intrusions were discovered after she bragged online and posted some of
the stolen information on GitHub.

Thompson pleaded not guilty and was released on pre-trial bond in August
2019.

New trial set for March 2022

She was initially set to face trial in November 2019, but the trial was
delayed to March 2020 due to the huge amount of information the prosecution
had to analyze.

The trial was later rescheduled to October 2020 due to the COVID-19
pandemic, then to June 2021, then October 2021, and now to March 14, 2022,
with prosecutors still citing the need for more time to analyze the data
collected from Thompson’s devices.

With the new superseding charges, Thompson faces up to 20 years in prison,
compared to only five she faced based on the two charges from the 2019
indictment.

Capital One was fined $80 million in August 2020 for the 2019 security
breach and its failure to keep its users’ financial data secure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210630/f2548acb/attachment.html>