New charges filed against Capital One hacker, trial postponed to 2022
The US government has filed a superseding indictment against Paige A. Thompson, a former Amazon engineer accused of hacking Capital One and stealing the personal data of more than 100 million Americans.
According to court documents filed earlier this month and obtained by The Record, the US Department of Justice has added seven new charges on top of the original two it filed in August 2019.
The new charges—six counts of computer fraud and abuse, and one count of access device fraud—come as investigators have made headway in analyzing data seized from Thompson's computers and servers.
The superseding indictment has also expanded the number of victimized companies from four listed in the 2019 indictment to eight, including:
- Capital One
- A US state agency
- A telecommunications conglomerate located outside the US
- A US public research university
- A technology company that specializes in digital rights management (NEW)
- A technology company that provides data and threat protection services (NEW)
- A technology company that provides interaction-management solutions for customer interactions in call centers and other environments (NEW)
- A technology company that provides higher education learning technology to educational institutions and other clients (NEW)
While new charges have been added, the timeline and events of Thompson's alleged actions remained the same.
US prosecutors said Thompson used her knowledge from her previous employment at Amazon along with scripts to scan for Amazon Web Service (AWS) servers where web application firewalls had been misconfigured.
Thompson allegedly accessed these systems and downloaded data onto a server she kept at her residence. She also reportedly installed cryptocurrency mining software on some of the misconfigured servers in order to generate personal profits.
Prosecutors said Thompson downloaded more than 20 terabytes of data belonging to more than 30 companies from all over the world.
Her intrusions were discovered after she bragged online and posted some of the stolen information on GitHub.
Thompson pleaded not guilty and was released on pre-trial bond in August 2019.
New trial set for March 2022
She was initially set to face trial in November 2019, but the trial was delayed to March 2020 due to the huge amount of information the prosecution had to analyze.
The trial was later rescheduled to October 2020 due to the COVID-19 pandemic, then to June 2021, then October 2021, and now to March 14, 2022, with prosecutors still citing the need for more time to analyze the data collected from Thompson's devices.
With the new superseding charges, Thompson faces up to 20 years in prison, compared to only five she faced based on the two charges from the 2019 indictment.
Capital One was fined $80 million in August 2020 for the 2019 security breach and its failure to keep its users' financial data secure.
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.