Michael Nagle/Bloomberg | Getty Images
A software engineer could be the lone wolf actor at the heart of Capital One’s recent data breach.
The FBI arrested Paige Thompson, age 33, on Monday, after an investigation led federal authorities to believe she is responsible for the theft of over 100 million Capital One customer records.
Thompson faces Department of Justice charges of computer fraud and “abuse for an intrusion on the stored data” of Capital One. The FBI tracked down suspect with help from Capital One – which received a tip about the stolen data in an email, and was able to link her identity to a number of social media and user accounts.
The theft is unlike any other major data breach, as the allegation of Thompson as a lone wolf insider set Capital One’s situation apart from the crises of Equifax and Marriott. Criminals, with connections to nation-states, attacked those companies from the outside.
Known online by the alias “erratic,” the DOJ complaint said Thompson worked in the Seattle, Washington area as a technology company software engineer. She allegedly intruded “into servers rented or contracted” by Capital One, as well as “from a company that provides cloud computing services.” The DOJ did not identify the cloud software company, instead referring to it as the “Cloud Computing Company” in the complaint.
Thompson’s former employer is the cloud business of Amazon, also known as Amazon Web Services. While the DOJ did not identify Amazon in the complaint, federal investigators do mention Thompson’s resume showing she worked at a cloud software company from 2015 to 2016.
“AWS was not compromised in any way and functioned as designed,” an Amazon Web Services spokesperson said in a statement to CNBC. “The perpetrator gained access through a misconfiguration of the web application and not the underlying cloud-based infrastructure … this type of vulnerability is not specific to the cloud.”
An Amazon spokesperson told Bloomberg News that Thompson last worked for Amazon three years ago.
Capital One gets a tip
The financial institution received an anonymous tip on July 17 from an individual. The person emailed Capital One, saying that “there appears to be some leaked s3 data of yours in someone’s github … let me know if you want help tracking them down,” the a screenshot showed.
The DOJ said the GitHub file “contained the IP address for a specific server” of Capital One, which had “a firewall misconfiguration” that “permitted commands to reach and be executed by that service, which enabled access to folders or buckets of data in Capital One’s storage space the Cloud Computing Company.”
Thompson allegedly took data that was primarily “related to credit card applications,” the complaint said, including about 120,000 Social Security Numbers and about 77,000 bank account numbers.
The FBI tracks Thompson through social media accounts
According to the DOJ complaint, the FBI found Thompson’s account on Meetup, the online app to connect people for activities and events. The FBI found a group organized by “erratic,” Thompson’s alias.
In the Meetup group was an invitation to a Slack channel and the FBI reviewed postings on that channel. A Slack user named “erratic” posted a list of files, the DOJ said, which the user “claimed to possess.” The FBI believes the files match to the data stolen on April 21.
Additionally, the DOJ complaint included an FBI screenshot of the Slack channel, in which another user says that this is “sketchy s—” and “don’t go to jail plz.”
“I wanna get it off my service that why Im archiving all of it,” the user “erratic” said. “Its all encrypted.”
The FBI also alleges that Thompson talked in the Slack channel “about one of her pets,” the DOJ complaint said. A post showed “an estimate from a veterinarian dated June 10, 2019, provided to ‘Paige Thompson’ at the same address listed on the ‘Paige Thompson’ resume described.”
Thompson used the “erratic” alias for a Twitter account. With nearly 900 posts, and some as recent as the day of her arrest, Thompson tweeted about her work, programming and cats. But a series of tweets on July 5 paint a worrying picture about her mental health, as she appeared to intend to check herself into an institution. Thompson began the tweets by saying “tomorrow I’m going to call in ahead and schedule a euthanasia for my cat.”
“After this is over I’m going to go check into the mental hospital for an indefinite amount of time. I have a whole list of things that will ensure my involuntary confinement from the world. The kind that they can’t ignore or brush off onto the crisis clinic. I’m never coming back,” Thompson said in a following tweet.
In a post directed at a Twitter user, Thompson asked “would you be interested in giving a statement regarding my mental health so that when I go to commit myself after I have my cat put to sleep I can just f—— stay somewhere and be in peace indefinitely.”
“All you gotta do is just tell them how f—– up I am I’ll give you info,” Thompson said in a tweet.
Capital One also shared with the FBI a screenshot of Thompson’s apparent Twitter account messaging with the individual who sent the company the tip about the stolen data. The Twitter user “ERRATIC” messaged that “Ive basically strapped myself with a bomb vest, f—— dropping capital ones box and admitting it,” the DOJ complaint showed.
The FBI said in the complaint that this indicates Thompson “intended to disseminate data stolen from victim entities, starting with Capital One.”
Thompson is facing charges of up to five years in prison, as well as a $250,000 fine.