SEATTLE— The former Amazon software engineer who allegedly hacked into Capital One bank and more than 30 different companies to steal more than 100-million consumer records has been indicted by a federal grand jury.
In addition to the charges she not only broke into the company's computer system, she was further charged with stealing data for her own benefit.
Paige Thompson has been charged by federal prosecutors with wire fraud, computer fraud and abuse in the indictment. She's scheduled to be arraigned Sept. 5. Thompson faces up to 25 years in prison.
As CUToday.info reported, Thompson was arrested in July arrested in July for allegedly stealing the personal information of more than 100 million U.S. Capital One customers and potential customers, including Social Security numbers and bank account numbers, and the data of an additional six-million consumers in Canada.
Thompson actually revealed her crimes herself after posting on GitHub that she had stolen the data. Another GitHub user saw the post and alerted Capital One, which in turn contacted the FBI.
According to the indictment, Thompson allegedly accessed the data through the use of “scanning software” she created that allowed her to identify the customers of a cloud computing company that had “misconfigured their firewalls.” Thompson also allegedly used stolen power from the computers accessed to “mine cryptocurrency for her own benefit,” the indictment reads.
Actual Number May Be Smaller
While the 100-million figure is the potential number involved, Capital One has said its estimate is 14,000 Social Security numbers of credit card customers’ data were accessed and about 80,000 linked bank account numbers of secured credit card customers were compromised, with around one million Social Security numbers of Canadian customers also compromised.
The Justice Department noted there continues to be no evidence Thompson sold or disseminated any of the stolen data.
The indictment states three of the other groups Thompson is alleged to have stolen data from are a telecommunications group based outside the U.S., a public research university, and a state agency. The cybersecurity group CyberInt has said those groups may have been Vodafone, Michigan State University and the Ohio Department of Transportation, but that has not been confirmed.