Former AWS software engineer arrested over massive Capital One data leak

The United States Federal Bureau of Investigation has arrested a former Amazon Web Services Engineer, Paige Adele Thompson, for exfiltrating large amounts of data on customers of the Capital One bank.

Thompson is alleged to have accessed about 100 million credit card applications as well as US social security numbers, stored on Capital One's AWS Simple Storage Service (S3) facility.

In the court documents [pdf], the authorities allege the 33-year-old Thompson used web application firewall commands between March 12 and July 17 this year to obtain credentials for an S3 administrator role.

With the admin credentials in hand, Thompson is alleged to have viewed the data in Capital One's S3 buckets, and also exfiltrated large amounts of information via a Swedish virtual private network provider, IPredator. 

While Thompson used a VPN and The Onion Router (TOR) exit nodes to hide her activities on S3, she posted files related to the illegal data access on open source code repositories Github and Gitlab using accounts bearing her full name according to FBI investigators.

The Gitlab account contained a resumé for Thompson, who is a systems and software engineer who worked at AWS from 2015 to 2016.

Thompson, who used the nickname "erratic" online, also posted about the Capital One data access on a Slack channel associated with a Meetup group that she's listed as the organiser for, expounding on her use of the admin commands on Capital One's S3 account.

Screenshots of chats provided by Capital One to the FBI suggest Thompson's motive for the data access wanted to "dox" or release large amounts of information on the victims including their social security numbers and dates of birth.

"Ive [sic] basically strapped myself with a bomb vest, f*cking dropping capitol ones [sic] dox and admitting it," Thompson said.

Capital One said the data included information on individuals and small businesses who had applied for credit cards, from 2005 to early 2019.

This included full names, addresses, postal codes, phone numbers and emails, as well as dates of birth, and self-reported incomes. Some additional customer data such as credit scores, limits, balances, payment history and contact information was also taken, the bank said.

A million social insurance numbers assigned to Canadian Capital One customers were also compromised in the in the incident.

However, no actual credit card numbers or bank account information was taken, Capital One said.