In July of this year, an investigation began on a massive data breach at Capital One. On September 5, the defendant pleaded not guilty, so I thought this would be a good time to discuss what happened since this is one of the best hacking stories I’ve heard since I’ve been interested in computer security.
Paige Thompson was a 33-year-old software engineer living in Seattle. She frequently posted on Twitter about her fascinating life, tweeting hacking tips and lamenting her dating life and the death of her cat, Millie.
Outside of her life as a software engineer, Thompson had a shady side, running a hacking meetup group called ‘Seattle Warez Kiddies’. This group had their own slack channel, which she frequently messaged under the handle erratic.
Paige was accused of compromising the personal data from over 100 million customers, including 140,000 Social Security Numbers and 80,000 bank account numbers. She then posted this data to Github, where a whistleblower eventually spotted it and reported to Capital One.
Johnson, who previously worked at AWS, had a deep understanding of cloud architecture and security. She used this knowledge to create a tool to scan a certain cloud provider’s customers for misconfigurations, which she then used to gain unauthorized access to their data.
The investigation began after Capital One received a tip from an unknown email address reporting that some of their data may have been leaked on Github.
Unfortunately, despite being an expert in cloud security, Johnson did not practice especially good operational security and used her full name as the GitHub username on the leak. From here, investigators were able to find her meetup group and its associated slack channel, where she made the mistake of bragging about her exploits, claiming she had “basically strapped [her]self with a bomb vest,” and detailing the methods she used to stay anonymous.
Thompson was indicted on August 28 for violation of Title 18, United States Code, Section 1030(a)(2). She pleaded not guilty on September 5 and has a jury trial scheduled for November 4.
Written by Daniel Monteagudo on September 9, 2019