A Seattle woman who is charged with taking data on more than 100 million customers from Capital One is reportedly a former Amazon Web Services systems engineer who may have accessed data from more companies.
Paige A. Thompson, 33, is charged with computer fraud and abuse in a criminal case filed Monday in federal court in Seattle.
In the filing, the Federal Bureau of Investigation says Capital One was notified in an email tip on July 17 that some of the acquired data was being stored on Github, an online platform with more than 36 million users. Also in that Github account, timestamped April 21, 2019, was Thompson’s resume, FBI special agent Joel Martini says in the filing.
Capital One data breach: What you need to know about incident affecting more than 100 million customers
Capital One data breach fallout: How to protect yourself
Thompson left an online trail including IP addresses linked to a VPN named IPredator – located in Cyprus, according to its website – and postings on online group event service Meetup and instant messaging platform Slack, Martini said.
She posted on Twitter about being a transgender woman and navigating “emotional entropy.”
Earlier this month, Thompson tweeted about having to euthanize her cat. “After this is over I’m going to go check into the mental hospital for an indefinite amount of time,” the tweet continued. “I have a whole list of things that will ensure my involuntary confinement from the world. The kind that they can’t ignore or brush off onto the crisis clinic. I’m never coming back.”
Thompson’s résumé says she worked at Amazon from May 2015 to September 2016, and listed her job as a systems engineer who worked on S3 or Amazon Simple Storage Service, which the company says is its platform for storing “data for millions of applications for companies all around the world.”
Her online credentials and internet protocol addresses were found to be involved with accessing a server, which had a misconfigured firewall, and with downloading data in March 2019 from Capital One’s storage space on Amazon’s cloud system, according to the filing.
FBI agent Martini also identified Thompson’s Twitter account, which used the name “Erratic,” and found a direct message in which Thompson bragged about plans to distribute the acquired data – Social Security numbers, names and birthdates. The message read, according to the filing: “Ive basically strapped myself with a bomb vest, (expletive) dropping capitol ones dox and admitting. I wanna distribute those buckets I think first. … There ssns…with full name and dob.”
Martini said in the filing, “I understand this post to indicate … Thompson intended to disseminate data stolen from victim entities, starting with Capital One.”
Computer security writer Brian Krebs wrote that he reviewed comments on the Slack channel Thomspon used and found a June 27 comment “listing various databases she found by hacking into improperly secured Amazon cloud instances,” he wrote on the KrebsOnSecurity security news site.
“That posting suggests Erratic may also have located tens of gigabytes of data belonging to other major corporations,” he said.
On Slack, Thompson/Erratic “also posted frequently … about her struggles with gender identity, lack of employment, and persistent suicidal thoughts,” Krebs wrote.
“In several conversations, Erratic makes references to running a botnet of sorts, although it is unclear how serious those claims were,” he wrote. “Specifically, Erratic mentions one botnet involved in cryptojacking, which uses snippets of code installed on Web sites – often surreptitiously – designed to mine cryptocurrencies.”
The FBI on Monday searched the Seattle home where Thompson lived and found “numerous digital devices … (with) files that referenced Capital One” as well as Amazon, according to the filing, and “other entities that may’ve been the targets of attempted or actual network intrusions, and ‘erratic’ the alias associated with (Thompson).”
A housemate of Thompson’s in the Beacon Hill home in southeast Seattle told the Associated Press, “It was an FBI breach team with M4s in our faces,” said the roommate who gave her name as Ashley but asked that her last name not be used. “They came in hard. They came in with a purpose.”
Ashley said that Thompson has great computer skills and “just wanted to see if she could (get the data). She had no nefarious intentions with the data.”
A housemate in the Beacon Hill home in southeast Seattle told CBS affiliate KIRO-TV Monday, “We didn’t know what she was doing … She didn’t want to come out – she was like why are you here?” the roommate said. “Her Twitter handle is very fitting – you’ve seen it, ‘erratic.’ That’s pretty much the best way to describe her.”
On June 29, Thompson’s account sent a retweetof a news story about several firms including Netflix that had data exposed on Amazon cloud storage.
Thompson, who will have a bail hearing Thursday and faces up to five years in prison and a $250,000 if convicted, “broke down and laid her head down on the defense table during the hearing” on Monday, according to Bloomberg.
Follow USA TODAY reporter Mike Snider on Twitter: @MikeSnider.