USA TODAY International Edition
Who is the suspect?
Ex-Amazon engineer may have cast wider net
FBI says Paige A. Thompson, 33, of Seattle, planned to disseminate the stolen data.
A Seattle woman who is charged with taking data on more than 100 million customers from Capital One reportedly is a former Amazon Web Services systems engineer who may have accessed data from more companies.
Paige A. Thompson, 33, is charged with computer fraud and abuse in a criminal case filed Monday in federal court in Seattle.
In the filing, the Federal Bureau of Investigation says Capital One was notified in an email tip on July 17 that some of the acquired data was being stored on Github, an online platform with more than 36 million users. Also in that Github account, timestamped April 21, 2019, was Thompson’s résumé, FBI special agent Joel Martini says in the filing.
Thompson left an online trail including IP addresses linked to a VPN named IPredator – located in Cyprus, according to its website – and postings on online group event service Meetup and instant messaging platform Slack, Martini said.
She posted on Twitter about being a transgender woman and navigating “emotional entropy.”
This month, Thompson tweeted about having to euthanize her cat. “After this is over I’m going to go check into the mental hospital for an indefinite amount of time,” the tweet said. “I have a whole list of things that will ensure my involuntary confinement from the world. The kind that they can’t ignore or brush off onto the crisis clinic. I’m never coming back.”
Thompson’s résumé says she worked at Amazon from May 2015 to September 2016, and listed her job as a systems engineer who worked on S3 or Amazon Simple Storage Service, which is Amazon’s platform for storing “data for millions of applications for companies all around the world.”
Her online credentials and internet protocol addresses were found to be involved with accessing a server, which had a misconfigured firewall, and with downloading data in March 2019 from Capital One’s storage space on Amazon’s cloud system, the filing said.
FBI agent Martini also identified Thompson’s Twitter account, which used the name “Erratic,” and found a direct message in which Thompson bragged about plans to distribute the acquired data – Social Security numbers, names and birth dates. The message read, according to the filing: “Ive basically strapped myself with a bomb vest, (expletive) dropping capitol ones dox and admitting. I wanna distribute those buckets I think first. … There ssns…with full name and dob.”
Martini said, “I understand this post to indicate ... Thompson intended to disseminate data stolen from victim entities, starting with Capital One.”
Computer security writer Brian Krebs wrote that he reviewed comments on the Slack channel Thompson used and found a June 27 comment “listing various databases she found by hacking into improperly secured Amazon cloud instances,” he wrote on the KrebsOnSecurity security news site.
“That posting suggests Erratic may also have located tens of gigabytes of data belonging to other major corporations,” he said.
“In several conversations, Erratic makes references to running a botnet of sorts, although it is unclear how serious those claims were,” Krebs wrote. “Specifically, Erratic mentions one botnet involved in cryptojacking, which uses snippets of code installed on Web sites – often surreptitiously – designed to mine cryptocurrencies.”
The FBI on Monday searched the Seattle home where Thompson lived and found “numerous digital devices … (with) files that referenced Capital One” as well as Amazon, according to the filing, and “other entities that may’ve been the targets of attempted or actual network intrusions, and ‘erratic’ the alias associated with (Thompson).”
A housemate of Thompson’s in the Beacon Hill home in southeast Seattle told the Associated Press, “It was an FBI breach team with M4s in our faces,” said the roommate who gave her name as Ashley.”
Ashley said that Thompson has great computer skills and “just wanted to see if she could (get the data). She had no nefarious intentions with the data.”
A housemate told KIRO-TV Monday, “We didn’t know what she was doing ... She didn’t want to come out – she was like why are you here?” the roommate said. “Her Twitter handle is very fitting – you’ve seen it, ‘erratic.’ That’s pretty much the best way to describe her.”
On June 29, Thompson’s account sent a retweet of a news story about several firms including Netflix that had data exposed on Amazon cloud storage.
Thompson, who has a bail hearing Thursday and faces up to five years in prison and a $250,000 if convicted, “broke down and laid her head down ... (at) the hearing,” Bloomberg reported.