Skip to main content
close search
site logo
Dive Brief

Capital One's hacker breached more than 30 organizations, prosecutors say

Published Aug. 15, 2019
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Nathan Dumlao

First published on

CIO Dive

Dive Brief:

  • Paige "erratic" Thompson, the accused hacker behind Capital One's breach, has been implicated in more than 30 other "victim companies" and breaches, according to court documents from U.S. prosecutors, obtained by ZDNetLaw enforcement is still working to identify all the other breached entities found on Thompson's servers. 
  • Thompson is currently charged with "massive data theft," unauthorized access to servers rented or contracted by Capital One, and stealing "huge volumes" of data, according to the documents. The evidence against Thompson for the bank's data breach, which included recovered data found in a server in her bedroom, is "overwhelming," 
  • The same servers held data from other entities, though currently the data is not personally identifiable information. The stolen data, from Capital One or the other organizations, has not been sold or duplicated, according to Thompson, and authorities have yet to find evidence that says otherwise. Thompson has a history of "threatening behavior" that added to her run ins with law enforcement before, according to the documents. The addition of more breached companies adds to Thompson's charges. 

Dive Insight:

Last month Capital One disclosed a data breach impacting 106 million customers who filed applications for credit card products between 2005 and 2019 or Capital One credit card holders. 

While the bulk of the stolen information was credit scores, balances and payment history, about 140,000 unencrypted Social Security numbers and 80,000 bank account numbers were also compromised. 

Thompson accessed Capital One servers contracted through Amazon Web Services. She is reportedly a former AWS employee and used a misconfigured web application to gain entry. Her intrusion escalated with privileged access.

Web application firewall vulnerabilities are the most common flaws to exploit. When an attacker finds success with basic security flaws, they will repeat the behavior.

While it's still unknown how Thompson gained access to the other entities' systems, there has always been a long list of easy-to-find cross-site scripting vulnerabilities to choose from. 

Though the onus of the security flaw falls on Capital One, the incident calls into question the bank's public cloud-first strategy. But Capital One's use of a public cloud was not the issue: the bank's fatal mistake was leaving sensitive data unencrypted and an application misconfigured. 

Recommended Reading

Editors' picks

  • Donald Trump gestures while speaking into a microphone, with blue and white text blurred in the background.
    Image attribution tooltip
    Chip Somodevilla / Staff via Getty Images
    Image attribution tooltip

    6 regulatory moves, people whose days are numbered under Trump

    With another Trump presidency set to kick off in January, the clock has turned against several Democratic appointees and agenda items.

    By Caitlin Mullen and Dan Ennis • Nov. 6, 2024
  • JPMorgan Chase building signage in New York City
    Image attribution tooltip
    Michael M. Santiago / Staff via Getty Images
    Image attribution tooltip

    JPMorgan, Zelle may have upper hand if litigation ensues

    If the banks that own Zelle’s parent battle the Consumer Financial Protection Bureau in court, they may find some federal judges open to their arguments, said lawyers specializing in the area.

    By Patrick Cooley • Aug. 16, 2024

Company Announcements

View all | Post a press release
Agent IQ and Narmi Announce Strategic Partnership to Improve Digital Banking Experiences
From Narmi
October 31, 2024
Agent IQ and Narmi Announce Strategic Partnership to Improve Digital Banking Experiences
From Agent IQ
October 31, 2024
Congressman urges CFPB to support SoLo Funds’ community-focused lending model
From Solo Funds
October 30, 2024
Unitus Community Credit Union Deploys JUDI.AI to Scale Small Business Lending
From JUDI.AI
October 31, 2024
Editors' picks
  • Donald Trump gestures while speaking into a microphone, with blue and white text blurred in the background.
    Image attribution tooltip
    Chip Somodevilla / Staff via Getty Images
    Image attribution tooltip

    6 regulatory moves, people whose days are numbered under Trump

    With another Trump presidency set to kick off in January, the clock has turned against several Democratic appointees and agenda items.

    By Caitlin Mullen and Dan Ennis • Nov. 6, 2024
  • JPMorgan Chase building signage in New York City
    Image attribution tooltip
    Michael M. Santiago / Staff via Getty Images
    Image attribution tooltip

    JPMorgan, Zelle may have upper hand if litigation ensues

    If the banks that own Zelle’s parent battle the Consumer Financial Protection Bureau in court, they may find some federal judges open to their arguments, said lawyers specializing in the area.

    By Patrick Cooley • Aug. 16, 2024
Latest in Commercial
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell