back to article Chin up, CapitalOne: You may not have been the suspected hacker's only victim. Feds fear 30-plus organizations hit

The ex-Amazon software engineer accused of stealing the personal information of 106 million people from Capital One's cloud-hosted databases may have hacked dozens of other organizations. This is according to a filing [PDF] this week by prosecutors in a US federal district court in Seattle, where suspected cyber-thief Paige …

  1. grizewald


    So here we have someone who, even to the most casual reader, obviously doesn't have all their mental ducks swimming in the same direction and they are treated as if they are some cybercriminal mastermind caught sitting on piles of ill gotten gains.

    This looks like a vindictive, spiteful prosecution of someone who is probably more in need of help at a mental hospital than being locked up in a disgusting American prison.

    Is there actually any evidence that she sold any of the data she downloaded? There's a huge difference between downloading stuff to prove that you can and selling it to fraudsters to have fun with.

    1. Mark 85 Silver badge

      Re: Spiteful

      If she pleads "by reason of insanity" or the jury finds for that, she won't go to prison but a mental facility. Will she get 'help" there? Who knows as they're marginally better than prison and at least help is offered.

      1. Dal90

        Re: Spiteful

        Any claim of an insanity defense went out the window with her writing, "Ive basically strapped myself with a bomb vest, f***ing dropping capital ones dox and admitting it"

        She was aware of her actions, aware they were wrong, and aware they came with negative consequences for her.

        Whether she's competent to stand trial is more questionable, in which case treatment would only delay a trial.

        1. Michael Wojcik Silver badge

          Re: Spiteful

          Agreed. Also the insanity defense is rarely successful even when a defendant meets the criteria.

          In this case, while I agree Thompson is almost certainly not in good mental health and needs (and deserves) treatment, I think it's also clear that by the current legal standard in the US she's fit to stand trial and receive punishment, including fines and incarceration. Whether the punishment she potentially faces, or whatever she actually ends up receiving, is appropriate and proportional is another question. But unlike some of the people tried for hacking, she appears to have done actual harm.

          For the record, I (like many people in the US) think the statutory punishments for many crimes in the US are grossly excessive; that the US incarceration epidemic is one of our great national disgraces; and that "tough on crime" politicians and their cronies are foolish or immoral. But that doesn't mean that people who knowingly do wrong should suffer no consequences simply because they're somewhat emotionally unbalanced. Plenty of other people in that situation don't go around committing crimes.

          I'd be interested to know whether she ever sought treatment for her mental-health issues. She apparently has been unemployed for nearly three years (which I'm sure takes its toll), but was often employed since 2005, and presumably would have had health insurance during those periods. Did she take advantage of it? Far too many people don't.

    2. ST Silver badge

      Re: Spiteful

      > There's a huge difference between downloading stuff to prove that you can and selling it to fraudsters to have fun with.

      There might be a difference in terms of how many decades of prison time can be added to the sentence of someone found guilty of profiting from accessing the computer systems of a US financial institution without authorization. Selling stolen data to nefarious third parties might add another 20 years in the cooler.

      But unauthorized access to any computer system belonging to a financial institution is a big no-no in the US, regardless of profit motive, and has been so for decades:

      US Computer Fraud and Abuse Act.

      You might argue that the statute is overly broad, or what not, but breaking into a bank's systems and stealing PID just for kicks doesn't go over well.

  2. ecofeco Silver badge

    Like I say, another week...

    ...another hack.

    1. JimboSmith Silver badge

      Re: Like I say, another week...

      This is another example of why I don't like the fact that a year ago we switched to a cloud based HR system using AWS.

      1. Anonymous Coward
        Anonymous Coward

        Re: Like I say, another week...

        The number of high profile victims offers a certain level of amusement, along the lines of "haha they got caught out", combined with every IT professional who is responsible for a network also thinking "thank god it wasn't us"....

        1. Mongrel

          Re: Like I say, another week...

          combined with every IT professional who is responsible for a network also thinking "thank god it wasn't us"....

          ...this time

          1. Richard Jones 1

            Re: Like I say, another week...

            Or perhaps, maybe it was not us this time, we'll find out later.

  3. JKG

    More Info

    This CBS article has more info:

    "Neo Nasrati, CEO of ColumbusSoft, which acquired Seattle Software Solutions from its previous owner, said Thompson was a "very talented 'white hat' ethical hacker" who excelled at testing clients' security systems for flaws."

    "Thompson doesn't appear to have accessed the bank accounts or sold the data. Amazon says the knowledge that was used to obtain Capital One's files was something that could be found out by anyone, and wasn't information that would have been obtained from working at the company."

  4. Stevie Silver badge


    To the organbanks with her!

  5. Michael Wojcik Silver badge

    AWS arguably shares some of the blame

    Cloudflare's Evan Johnson has a good explanation of what Capital One did wrong, and is of the opinion that this kind of problem is difficult to detect and prevent, and that AWS doesn't do enough to help customers secure their systems against it.

    It's interesting to note that the underlying issue was an SSRF vulnerability in a security component - the WAF module. So the Capital One admins had gone to some effort to secure their site using well-known mechanisms, but missed an inobvious vulnerability in a firewall configuration. This is rather different to, say, the Suprema breach, which was straightforward incompetence on the part of the admins; or the now-commonplace "we didn't secure our S3 buckets" failure mode.

    1. diodesign (Written by Reg staff) Silver badge

      Re: AWS arguably shares some of the blame

      In the past we've linked to this explanation

      Though it's not confirmed exactly how the break-in happened.


POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019