Software engineer Paige Thompson was arrested in late July for an unprecedented hack into a cloud server containing the personal data of over 100 million people who had filed credit card applications with leading financial institution Capital One. Thompson, who at the time of her arrest ran a hosting company called Netcrave Communications, had held a series of engineering jobs, including a stint at Amazon Web Services (AWS) in 2015 and 2016, where she presumably gained the skills to exploit a vulnerability in an application firewall on Capital One’s AWS server.
Thompson’s ultimate theft of the 100 million customer records, 140,000 Social Security numbers and 80,000 linked bank details of Capital One customers was apparently only one of her many hacks. In a legal filing related to keeping her remanded into custody, federal prosecutors say she hit more than 30 other targets, including companies and educational institutions.
Online postings by Thompson obtained by the Wall Street Journal suggest that those other targets might include Ford Motor Co., UniCredit (Italy’s largest bank), and Michigan State University. Thompson’s hacking efforts stand apart from the vast majority of major hacks over the past decade in because her motivations appeared not to be political or financial or nation-state directed.
Her actions also stand apart from other major breaches and data thefts because Thompson, unlike most “black hat” hackers, left an extensive trail of public evidence that she was not only engaged in these malicious activities, but that she also had Capital One specifically in her sights. Thompson was active on her now-removed Twitter account and on June 18 wrote “I’ve basically strapped myself with a bomb vest, f*cking dr0pping capitol ones dox and admitting it.”
Later, on July 5, Thompson wrote “I have a whole list of things that will ensure my involuntary confinement from the world,” she wrote. “The kind that they can’t ignore or brush off onto the crisis clinic. I’m never coming back.”