Capital One: Convicted techie got in via 'misconfigured' AWS buckets

Assistant US attorney: 'She wanted data, she wanted money, and she wanted to brag'


Updated A former Seattle tech worker has been convicted of wire fraud and computer intrusions in a US federal district court.

The conviction follows the infamous 2019 hack of Capital One in which personal information of more than 100 million US and Canadian credit card applicants were swiped from the financial giant's misconfigured cloud-based storage.

Paige Thompson (aka "erratic") was arrested in July 2019 after data was leaked between March and July of that year. The data was submitted by credit card hopefuls between 2005 and early 2019, and Thompson was able to get into Capital One's AWS storage thanks to a "misconfigured web application firewall."

According to the original July 2019 complaint [PDF], Capital One received an email to its responsible disclosure address stating: "There appears to be some leaked s3 data of yours in someone's github /gist."

The complaint added: "Capital One determined that the April 21 file contained code for three commands, as well as a list of more than 700 folders or buckets of data."

Capital One then confirmed that they "matched the actual names of folders or buckets of data used by Capital One for data stored at the cloud company."

According to the US Attorney's office, Thompson used a tool to scan AWS accounts in search of misconfigurations. She then used the results to siphon data from more than 30 entities, including Capital One. "With some of her illegal access," wrote the office, "she planted cryptocurrency mining software on new servers with the income from the mining going to her online wallet."

Evidence from Thompson's own words in texts and online chats was used in the seven-day jury trial. The jury took 10 hours to come up with a verdict: guilty of wire fraud and five counts of unauthorized access to a protected computer and damaging a protected computer. Thompson was found not guilty of aggravated identity theft or access device fraud.

Sentencing is due on September 15, 2022.

As for Capital One, it was memorably slapped with a $80 million fine and settled customer lawsuits for $190 million following the leak. The Office of the Comptroller of the Currency (OCC), an independent bureau of the US Department of Treasury, took the Virginia-based bank to task over its shoddy security practices and applied for a cease and desist order against Capital One, forbidding it from "engaging in unsafe or unsound practices, including those relating to information security."

Quite an expensive misconfiguration, all told.

"Ms Thompson used her hacking skills to steal the personal information of more than 100 million people, and hijacked computer servers to mine cryptocurrency," thundered US Attorney Nick Brown. "Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself."

"She wanted data, she wanted money, and she wanted to brag," Assistant United States Attorney Andrew Friedman said in closing arguments.

The Register contacted Thompson's lawyers for comment and will update should they respond. ®

Updated to add at 1446 UTC

Capital One has been in touch to comment: "We are pleased with the outcome of the trial and remain thankful for the tireless work of the US Attorney's Office in Seattle and the FBI's Seattle Field Office in prosecuting this important case."

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • OpenSea phishing threat after rogue insider leaks customer email addresses
    Worse, imagine someone finding out you bought one of its NFTs

    The choppy waters continue at OpenSea, whose security boss this week disclosed the NFT marketplace suffered an insider attack that could lead to hundreds of thousands of people fending off phishing attempts.

    An employee of OpenSea's email delivery vendor Customer.io "misused" their access to download and share OpenSea users' and newsletter subscribers' email addresses "with an unauthorized external party," Head of Security Cory Hardman warned on Wednesday. 

    "If you have shared your email with OpenSea in the past, you should assume you were impacted," Hardman continued. 

    Continue reading
  • Europol arrests nine suspected of stealing 'several million' euros via phishing
    Victims lured into handing over online banking logins, police say

    Europol cops have arrested nine suspected members of a cybercrime ring involved in phishing, internet scams, and money laundering.

    The alleged crooks are believed to have stolen "several million euros" from at least "dozens of Belgian victims," according to that nation's police, which, along with the Dutch, supported the cross-border operation.

    On Tuesday, after searching 24 houses in the Netherlands, officers cuffed eight men between the ages of 25 and 36 from Amsterdam, Almere, Rotterdam, and Spijkenisse, and a 25-year-old woman from Deventer. We're told the cops seized, among other things, a firearm, designer clothing, expensive watches, and tens of thousands of euros.

    Continue reading
  • Never fear, the White House is here to tackle web trolls
    'No one should have to endure abuse just because they are attempting to participate in society'

    A US task force aims to prevent online harassment and abuse, with a specific focus on protecting women, girls and LGBTQI+ individuals.

    In the next 180 days, the White House Task Force to Address Online Harassment and Abuse will, among other things, draft a blueprint on a "whole-of-government approach" to stopping "technology-facilitated, gender-based violence." 

    A year after submitting the blueprint, the group will provide additional recommendations that federal and state agencies, service providers, technology companies, schools and other organisations should take to prevent online harassment, which VP Kamala Harris noted often spills over into physical violence, including self-harm and suicide for victims of cyberstalking as well mass shootings.

    Continue reading
  • World Economic Forum wants a global map of online crime
    Will cyber crimes shrug off Atlas Initiative? Objectively, yes

    RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.

    The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.  

    This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals' supply chain to develop better mitigation strategies and security controls for their customers. 

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading

Biting the hand that feeds IT © 1998–2022