August 16, 2019
Former Amazon employee Paige Thompson, charged with hacking Capital One Financial records, illegally accessed terabytes of data from 30+ other companies and institutions, according to authorities. Thompson, arrested July 29, was accused of stealing 106 million Capital One records, considered to be one of the largest thefts of cloud-based data. Court documents reveal that Thompson stole 140,000 Social Security numbers, 80,000 bank account numbers, millions of credit card applications and one million Canadian social insurance numbers.
The Wall Street Journal reports that more information about the other companies impacted have not been released, but, by viewing Thompson’s online posts, she suggested she “had accessed data at several other entities, including Ford Motor; UniCredit SpA, Italy’s largest bank; and Michigan State University.”
Ford stated it wasn’t affected and the other two entities are still investigating the claims. Thompson, who will appear at a bail hearing on August 22, has a “long history” of threatening to kill herself and others. Prosecutors will urge the judge to deny bail to Thompson, who they also consider a flight risk.
According to experts, Thompson “displayed a high level of technical knowledge on the inner workings of Amazon’s cloud” in postings on discussion boards. She “allegedly exploited a common cloud configuration problem to access the Capital One data,” and the bank took responsibility for “not adequately securing its systems.”
Concern has also arisen that Amazon “could do more to protect its customers,” although the company insists that, “none of its services were the underlying cause of the break-in.” Still, Amazon has been alerting its cloud customers about potential firewall issues and is “also considering additional changes that it can make to its cloud subsystems that will better protect its customers.”
Senator Ron Wyden (D-Oregon) said, although he appreciates the effort, more needs to be done. “Without additional action, I fear we will continue to see repeats of the Capital One breach, with American consumers as the real victims,” he said.
The New York Times reports that “the revelation of additional stolen data was made in a filing in United States District Court in Western Washington as part of the prosecutors’ motion to deny bail to Thompson.” Prosecutors revealed that “much of the newly discovered stolen data did not contain personal identifying information.”
Authorities are working to identify the entities impacted and “expect to bring additional charges” against her. They did not say whether she “obtained the data during her employment at Amazon Web Services” but revealed that, during a search of her house, they found “an arsenal of weapons, ammunition and explosives in the bedroom of her roommate, who was a felon and was not allowed to possess firearms.”