Alleged Capital One Hacker Pleads Not GuiltyPaige Thompson's Trial Date Tentatively Set for November
Paige A. Thompson, who prosecutors allege hacked into Capital One's network to access millions of credit card applications, has pleaded not guilty to federal computer crime charges.
Thompson, a 33-year-old software engineer who lives in the Seattle area, faces federal charges of wire fraud and computer crime and abuse. She remains in federal custody.
The defendant entered her plea during an arraignment on Thursday in federal court in Seattle. She faces up to 25 years in prison if convicted on both counts. A judge set a tentative trial date for Nov. 4, according to documents filed in the case.
Thompson's court-appointed attorneys did not reply to a request for comment.
On Aug. 4, Capital One confirmed that data from 100 million U.S. individuals as well as 6 million individuals in Canada appeared to have been stolen. A few days before, on July 29, the FBI arrested Thompson at her home and charged her with hacking into the bank's network using a misconfigured firewall to gain access to data stored within a cloud computing infrastructure.
After her initial arrest by FBI agents, the U.S. attorney's office in Seattle filed additional court papers in the case alleging that Thompson stole data from over 30 other businesses and organizations, based on servers found in her home that contained "multiple terabytes of data" (see: Prosecutors Allege Capital One Suspect Stole From Many Others).
Hacking Capital One
Sometime between March and July, Thompson took advantage of a misconfigured firewall within Capital's One network and then gained access to several years' worth of credit card data stored within the company's cloud storage system, according to the indictment.
Although the cloud provider involved is not specified the indictment, Capital One has previously stated that it uses Amazon Web Services for its cloud infrastructure and that it also uses the company's Simple Cloud Storage Service, or Amazon S3, to store its data.
Thompson worked for Amazon Web Service for about a year between 2015 and 2016 in a division dedicated to developing S3 capabilities, according to news reports.
During the time she hacked into Capital One's network, she also took data from 30 other organizations that used the same cloud services provider, prosecutors allege. She also used the computing power she accessed to illegally mine for cryptocurrency, which is commonly referred to as cryptojacking, according to the indictment.
Prosecutors have not revealed the other organizations from which Thompson stole data, although court documents describe one as a state agency and another as a public research university.
To bypass security within the organizations she targeted, Thompson allegedly created tools to scan servers hosted by a cloud computing company, according to the indictment. She looked for misconfigured web application firewalls that would allow her to send commands from outside the network to access the data stored within the networks, the indictment alleges.
It's not clear what Thompson, who used the handle "erratic" online, planned to do with the data she allegedly stole.
At one point, FBI investigators found that Thompson bragged on GitHub that she had taken Capital One data and was deciding what do with it, court documents show. On July 17, an unnamed GitHub user contacted Capital One's security team about the GitHub posting.
Capital One and prosecutors believe that only Thompson accessed the stolen data.
Thompson tried to conceal her identity and location while stealing data by using a virtual private networking service called iPredator as well as using the anonymizing Tor network to access the cloud computing servers, prosecutors allege.
Capital One Financial Corp., based in McLean, Virginia, is a financial holding company whose subsidiaries, which include Capital One, N.A., and Capital One Bank (USA), N.A., had $254.5 billion in deposits and $373.6 billion in total assets as of June 30.