Nearly one month after the FBI arrested and charged Paige Thompson in connection with the Capital One breach, a grand jury has indicted her in connection with stealing data from more than 30 other organizations.
The indictment was filed in the U.S. District Court for the Western District of Washington at Seattle Wednesday and charged Thompson on counts of wire fraud and computer fraud and abuse. The filing states that Thompson “copied and stole data from more than 30 different entities.” This includes the Capital One breach, but the filing only mentions three other unnamed victims: a state agency, a telecom conglomerate located outside of the U.S. and a public research university.
Previously released evidence suggested that Thompson had stolen data from more organizations, including the Ohio Department of Transportation, Vodafone and Michigan State University.
When initially asked at the beginning of August about the potential breach, Vodafone told SearchSecurity that the company was “not aware of any information that relates to the Capital One security breach.” Following the new indictment, a Vodafone spokesperson said, “Our investigation has found no impact on Vodafone customer data or other personal data in connection with this incident. We will continue to work with the relevant authorities to support their investigation.”
Michigan State University and the Ohio Department of Transportation have not responded to requests for comment at this time. However, Ford — which was also indicated as a possible victim in the previously released evidence — said, “Ford was not impacted by the alleged Capital One hacker.”
The indictment noted that Capital One and the three unnamed victim organizations all rented computer servers from “The Cloud Computing Company.” While The Cloud Computing Company is not named, Thompson was previously employed by AWS and the FBI complaint made reference to “buckets” and “leaked S3 data,” which suggests AWS as the cloud provider for the victims.
The Capital One breach affected approximately 100 million customers in the U.S. and 6 million in Canada. The new indictment claims Thompson also used access to victim servers to install cryptojackers.
The Department of Justice (DOJ) wrote in a press release that, “Thompson created scanning software that allowed her to identify customers of a cloud computing company who had misconfigured their firewalls, allowing outside commands to penetrate and access their servers. Thompson used this access not only to steal data, but also used stolen computer power to ‘mine’ cryptocurrency for her own benefit, a practice known as “cryptojacking.'”
Based on descriptions of the Capital One breach from the FBI complaint, some experts theorized that a server-side request vulnerability (SSRF) was used by Thompson to access AWS’ metadata service and obtain credentials from the service. AWS claimed in a letter to Sen. Ron Wyden (D-Ore.) that “SSRF was not the primary factor in the attack.”
While the indictment said Thompson used a VPN service from IPredator and the Tor network to attempt to hide her actions, the DOJ statement said law enforcement became aware of her activity “after she shared information with another user on the site GitHub relating to her theft of information from the servers storing Capital One data.”
The charges in Wednesday’s indictment carry penalties of up to 25 years in prison.