Capital One’s hacker breached more than 30 organizations, prosecutors say

Dive Brief:

  • Paige “erratic” Thompson, the accused hacker behind Capital One’s breach, has been implicated in more than 30 other “victim companies” and breaches, according to court documents from U.S. prosecutors, obtained by ZDNetLaw enforcement is still working to identify all the other breached entities found on Thompson’s servers. 
  • Thompson is currently charged with “massive data theft,” unauthorized access to servers rented or contracted by Capital One, and stealing “huge volumes” of data, according to the documents. The evidence against Thompson for the bank’s data breach, which included recovered data found in a server in her bedroom, is “overwhelming,” 
  • The same servers held data from other entities, though currently the data is not personally identifiable information. The stolen data, from Capital One or the other organizations, has not been sold or duplicated, according to Thompson, and authorities have yet to find evidence that says otherwise. Thompson has a history of “threatening behavior” that added to her run ins with law enforcement before, according to the documents. The addition of more breached companies adds to Thompson’s charges. 

Dive Insight:

Last month Capital One disclosed a data breach impacting 106 million customers who filed applications for credit card products between 2005 and 2019 or Capital One credit card holders. 

While the bulk of the stolen information was credit scores, balances and payment history, about 140,000 unencrypted Social Security numbers and 80,000 bank account numbers were also compromised. 

Thompson accessed Capital One servers contracted through Amazon Web Services. She is reportedly a former AWS employee and used a misconfigured web application to gain entry. Her intrusion escalated with privileged access.

Web application firewall vulnerabilities are the most common flaws to exploit. When an attacker finds success with basic security flaws, they will repeat the behavior.

While it’s still unknown how Thompson gained access to the other entities’ systems, there has always been a long list of easy-to-find cross-site scripting vulnerabilities to choose from. 

Though the onus of the security flaw falls on Capital One, the incident calls into question the bank’s public cloud-first strategy. But Capital One’s use of a public cloud was not the issue: the bank’s fatal mistake was leaving sensitive data unencrypted and an application misconfigured.