A federal indictment alleges that the hacker who breached Capital One’s customer data did so as part of a broader attack that impacted more than 30 other businesses, government agencies, and schools.
In addition to harvesting the personal data of more than 106 million Capital One customers and applicants, the indictment says the hacker used the compromised cloud servers to mine cryptocurrency.
The indictment, filed on Wednesday in Washington State, are the first formal charges against the alleged hacker, Paige Thompson. She was arrested on July 29 based on allegations of data theft, but the charges of illicit cryptocurrency mining are new.
Yesterday’s indictment does not name the victims, but security researchers have found evidence that they may have included the Ohio Department of Transportation, Vodafone, and Michigan State University. Those would match the indictment’s description of a U.S. state agency, a foreign telecommunications conglomerate, and a U.S. public research university. The three organizations have said they are investigating whether their computers were compromised in the attacks.
The indictment describes a relatively new kind of digital attack called “cryptojacking.” It involves a hacker gaining control of a computer or server, commanding it to perform the intensive cryptographic computations that secure digital currencies like Bitcoin, and then transmitting the resulting digital currency to a wallet the hacker controls. Malicious software secretly installed on private computers can perform the same function.
The new indictment doesn’t specify which cryptocurrency Thompson is alleged to have obtained or the amount. It seeks forfeiture of any property or proceeds from Thompson’s hack, including cryptocurrency.
The indictment does not specify the cloud provider through which Thompson accessed victims’ data stores. But Capital One’s cloud provider is Amazon Web Services and Thompson is a former AWS employee.
Amazon has said the attacker exploited a configuration error made by Capital One, rather than a mistake by Amazon. Yesterday’s grand jury indictment alleges Thompson built scanning software to detect similar configuration errors, which she then used to further infiltrate the servers.
Capital One has said that it is “unlikely that the information was used for fraud or disseminated” by the hacker. The new indictment doesn’t detail any data Thompson may have obtained from other victims.
