The U.S. Division of Justice (DOJ) has filed seven new fees towards Paige Thompson, the previous Amazon Internet Companies (AWS) engineer accused of hacking Capital One and stealing the non-public information of greater than 100 million Individuals.
The brand new fees, which embrace six counts of laptop fraud and abuse and one depend of entry system fraud, had been revealed in court docket paperwork filed earlier this month, obtained by The File. The earlier indictment charged Thompson with one depend every of wire fraud and laptop crime and abuse, which meant she confronted 5 as much as 5 in jail and a superb of as much as $250,000. Because of the extra fees, Thompson now faces as much as 20 years of jail time.
The superseding indictment has additionally expanded the variety of victimized corporations from the 4 listed within the 2019 indictment to eight. Along with Capital One, a U.S. state company, a U.S. public analysis college and a global telecommunications conglomerate, the listing now features a information and risk safety firm, a company that makes a speciality of digital rights administration (DRM), a supplier of upper schooling studying know-how, and a provider of name heart options. The businesses haven’t been named, however safety agency CyberInt beforehand stated that Vodafone, Ford, Michigan State College and the Ohio Division of Transportation might all be victims of the breach.
Thompson, who used the deal with “erratic” on-line and was recognized after boasting about her actions on GitHub, stays accused of utilizing her data from her earlier employment as a software program engineer at Amazon to create a program that recognized which prospects of a cloud computing firm (the indictment doesn’t title the corporate, but it surely has been recognized as Amazon Internet Companies) had misconfigured firewalls. As soon as the software discovered its goal misconfiguration, Thompson allegedly exploited it to extract privileged account credentials.
The prior indictment alleges that when Thompson gained entry to victims’ cloud infrastructure utilizing the stolen credentials, she then accessed and downloaded information to a server at her residence in Seattle. It stays unclear whether or not any of the data was handed to 3rd events.
Within the case of the Capital One breach, which the corporate confirmed in July 2019, the stolen information comprised 106 million bank card functions, which included names, addresses, telephone numbers, and dates of delivery, together with 140,000 Social Safety numbers, 80,000 checking account numbers, and a few credit score scores and transaction information. Capital One, which changed its cybersecurity chief 4 months after the incident, was fined $80 million in August 2020 for the safety breach and its failure to maintain its customers’ monetary information safe.
Prosecutors additionally allege that Thompson copied and stole information from a minimum of 30 entities in complete that used the identical cloud supplier, and declare that, in some instances, she used this entry to arrange cryptocurrency mining operations utilizing victims’ cloud computing energy – a follow often called cryptojacking.
Thompson pleaded not responsible and was launched on pre-trial bond in August 2019. She was initially set to face trial in November 2019, however the trial was delayed to March 2020 as a result of enormous quantity of knowledge the prosecution needed to analyze.
The trial was later rescheduled to October 2020 as a result of pandemic, then to June 2021, then October 2021, and now to March 14, 2022, with prosecutors nonetheless citing the necessity for extra time to research the information collected from Thompson’s gadgets.