Pages

Tuesday 30 July 2019

Transgender ex-Amazon employee, 33, is arrested for huge Capital One hack after 'stealing data from ONE HUNDRED MILLION customers' in the US and Canada then boasting about it online

A Seattle-based transgender former Amazon engineer has been arrested for allegedly hacking Capital One bank's systems to steal data it was storing on Amazon's Web Services cloud.
Paige Thompson, 33, was arrested for breaking into the bank's systems to steal the addresses, phone numbers and names of 100million people in the United States. 
A portion of that figure - 140,000 - also had their social security numbers and 80,000 had their credit card details accessed.  
Thompson allegedly pulled it off between March and July of this year by breaking into the bank's servers through a misconfiguration in its firewall. 
The data was being stored on Amazon's Web Services cloud but Amazon insists it is not to blame for the hack and that she exploited Capital One's systems to access it.  Capital One admits that it was a fault in its infrastructure, and not Amazon's, which led to the breach.  
After allegedly stealing the data, Thompson left authorities a trail of breadcrumbs, posting online about the hack so much that other hackers warned her she was facing jail.  
Her online postings about the hack were reported to Capital One on July 17 in an email from a white hat hacker who had seen the information on a website called GitHub alerted the bank to it in an email.  
What Thompson's motives were remain unclear. The bank said in a statement that it does not believe the hacker's intention was to steal people's money. 
On social media, she posted about her desire to commit suicide and complained about her boyfriend being deported to Greece in spite of his 'AWS principality'. 
When FBI agents searched her home and computers, they found she had also tried to target 'other entities' but they did not state what they were. 
Paige Thompson, 33, of Seattle, Washington, made her initial appearance in federal court on Monday, according to the Justice Department
Capital One said personal information including names, addresses, phone numbers and credit scores of about 100 million individuals in the United States and 6 million people in Canada were obtained by a hacker. The image above shows a Capital One location in San Francisco
Capital One said personal information including names, addresses, phone numbers and credit scores of about 100 million individuals in the United States and 6 million people in Canada were obtained by a hacker. The image above shows a Capital One location in San Francisco
Hacker 'steals' information of 100 million Capital One customers
Loaded: 0%
Progress: 0%
0:00
Previous
Play
Skip
Mute
Current Time0:00
/
Duration Time1:02
Fullscreen
Need Text
Capital One and the FBI announced the hack on Monday but said no one's money was taken. 

AMAZON DENIES BLAME FOR CAPITAL ONE HACK

Amazon was quick to issue a statement after the breach became public to say it was not its cloud's fault. 
The Capital One data that was taken was being stored on its Amazon Web Services cloud. 
However, both Amazon and Capital One say that it was a fault in Capital One's systems which allowed Thompson to access it.  
'AWS was not compromised in any way and functioned as designed. 
'The perpetrator gained access through a misconfiguration of the web application and not the underlying cloud-based infrastructure. 
'As Capital One explained clearly in its disclosure, this type of vulnerability is not specific to the cloud,' a spokesman told DailyMail.com. 
Capital One said in its announcement that its infrastructure is to blame. 
Though AWS insists its systems are not to blame, the breach stokes fears that data it was storing could be taken because other systems aren't up to scratch. 

'The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. 
'This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.
'Safeguarding applicant and customer information is essential to our mission and our role as a financial institution. 
'We have invested heavily in cybersecurity and will continue to do so. 
'We will incorporate the learnings from this incident to further strengthen our cyber defenses.'
According to the FBI, Thompson posted information she gleaned from the hack onto the GitHub web site. 
Thompson is also alleged to have posted messages on social media admitting to the hacks while knowing that what she was doing was illegal.
She made her identity known by failing to properly encrypt her IP address which left her full name in it. 
On July 17, an anonymous internet user sent an email to Capital One indicating that someone was posting leaked data on GitHub.
The email contained a link whose address included Thompson’s full name - ‘paigeadelethompson’. 
Authorities say that they became convinced that Thompson was the owner of the GitHub page.
Thompson left a trail of bread crumbs for authorities by posting about the hack online
Thompson left a trail of bread crumbs for authorities by posting about the hack online 
She not only discussed the hack but threatened to release the information. Her motive remains unclear
She not only discussed the hack but threatened to release the information. Her motive remains unclear 
Capital One was tipped off by an anonymous tipster who said that leaked data began to appear on the GitHub web site
Capital One was tipped off by an anonymous tipster who said that leaked data began to appear on the GitHub web site
Thompson tweeted from this account, Erratic. It was part of the online trail investigators followed to find her
Thompson tweeted from this account, Erratic. It was part of the online trail investigators followed to find her 
The page includes a number of server list IP addresses that match the same addresses used by the hacker who broke into Capital One, according to the FBI.
The FBI says that it also found a Meetup page used by Thompson which contains a link inviting others to a Slack chat.
In that chat, Thompson, who went by the alias ‘erratic,’ admitted to others that she hacked the data and was looking for an online location to store it.
Her last known place of employment was at Amazon, where she worked as a systems engineer from May 2015 until September 2016
Her last known place of employment was at Amazon, where she worked as a systems engineer from May 2015 until September 2016
On June 27, one Meetup user chatting with ‘erratic’ wrote: ‘Sketchy s***...don’t go to jail plz.’
To which ‘erratic’ replied: ‘I wanna get it off my server that’s why I’m archiving all of it lol.’
FBI investigators also tracked down a Twitter account alleged to be that of Thompson.
The arrest affidavit contains a screenshot of a Twitter chat by ‘erratic’ in which the user admits: ‘I’ve basically strapped myself with a bomb vest, f*****g dropping capitol ones dox and admitting it...I wanna distribute those buckets i think first.’
The arrest affidavit filed by the FBI states that 'buckets' is synonymous with file folders.
By 'distributing buckets,' Thompson allegedly meant that she sought to 'disseminate data stolen from victim entities, starting with Capital One,' according to the FBI. 
Other Twitter posts included images of her and her cat, which she says needed to be euthanized by the vet
Other Twitter posts included images of her and her cat, which she says needed to be euthanized by the vet
In one Twitter post, she tagged the Seattle Police Department and President Trump, writing: 'I would like to make good on the deportation initiative and surrender myself to detainment and deportation. 'I am in this country illegally, I just want to get this over with. What should I do?'
In one Twitter post, she tagged the Seattle Police Department and President Trump, writing: 'I would like to make good on the deportation initiative and surrender myself to detainment and deportation. 'I am in this country illegally, I just want to get this over with. What should I do?'
She also claimed in a tweet that she is illegally in the United States and that she wants the government to deport her back to her native home on the Pacific island of Tuvalu
She also claimed in a tweet that she is illegally in the United States and that she wants the government to deport her back to her native home on the Pacific island of Tuvalu
In the same thread, she writes: 'I am unable to physically relocate back to where i came from, is there a line to get in perhaps i could catch a flight out with some other folks who are going back?'
In the same thread, she writes: 'I am unable to physically relocate back to where i came from, is there a line to get in perhaps i could catch a flight out with some other folks who are going back?'
According to Thompson's resume, she worked at a number of Seattle-area tech firms, including Amazon, ATG Stores, and Connect XYZ.  
Her last known place of employment was at Amazon, where she worked as a systems engineer from May 2015 until September 2016.  
Thompson's Twitter account reveals a troubled woman who speaks of her desire to undergo doctor-assisted suicide in Denmark.
She also tweeted that her 'boy' was deported to Greece, though it is unclear what she meant.
Thompson writes: 'look im not a stupid person but im hopeless on my own because my emotions are very hard to control i need someone i can trust and my boy got deported to greece despite his worthy MIT/aws/Ec2-security principality.'
MIT presumably is a reference to the Massachusetts Institute of Technology. 
Thompson remains in custody in Seattle
Thompson remains in custody in Seattle
Other Twitter posts included images of her and her cat, which she says needed to be euthanized by the vet. 
She also claimed in a tweet that she is illegally in the United States and that she wants the government to deport her back to her native home on the Pacific island of Tuvalu. 
In one Twitter post, she tagged the Seattle Police Department and President Trump, writing: 'I would like to make good on the deportation initiative and surrender myself to detainment and deportation. 
'I am in this country illegally, I just want to get this over with. What should I do?'
In the same thread, she writes: 'I am unable to physically relocate back to where i came from, is there a line to get in perhaps i could catch a flight out with some other folks who are going back?'  
This is the second hack for Capital One in two years. 
In July 2017, Capital One sent letters to an unspecified number of customers informing them that their data may have been compromised by one of the company's employees. 
Capital One said in the letter that it had fired the employee and notified law enforcement. 
The lender is not the only company that has had to deal with lapses in data protection and customer privacy.
Last week it was announced that Equifax, the credit-reporting company, will pay up to a record $650 million to settle U.S. federal and state probes into a massive 2017 data breach of personal information.
The largest-ever settlement for a data breach draws to a close multiple probes into Equifax by the Federal Trade Commission, the Consumer Financial Protection Board and nearly all state attorneys general. 
It also resolves pending class-action lawsuits against the company.
'This company’s ineptitude, negligence, and lax security standards endangered the identities of half the U.S. population,' New York Attorney General Letitia James said in a statement.
Equifax, one of three major credit-reporting companies, disclosed in 2017 that a data breach had compromised the personal information, including Social Security numbers, of 143 million Americans.
The scandal upended the company, which saw the exit of its chief executive, as its security practices and slow speed in disclosing the breach were challenged.
Washington policymakers questioned how private companies could amass so much personal data, setting off efforts to bolster consumers’ ability to protect and control their information.
Under the settlement, the company will establish a $300 million restitution fund for harmed consumers that could climb to $425 million depending on its use.
Consumers eligible for the fund must submit claims showing they were fraud victims or set up credit-monitoring services following the breach.
Equifax will also pay a $175 million fine to the states and $50 million to the CFPB.  

No comments:

Post a Comment