Suspect indicted by federal grand jury
A Seattle woman charged in the massive Capital One data breach was indicted by a federal grand jury Wednesday.
Paige A. Thompson, 33, a former software engineer, is accused of stealing data from more than 100 million Capital One credit card applications in what is one of the top 10 largest data breaches ever, according to USA TODAY research.
Thompson was indicted on “two counts related to her unauthorized intrusion into stored data of more than 30 different companies,” U.S. Attorney Brian T. Moran announced in a news release.
Details about three of the victims whose data was accessed was included in the seven-page indictment. The unnamed victims include a state agency outside the state of Washington, a public research university outside the state and a telecommunications conglomerate outside the U.S.
According to the release, law enforcement is working to notify victims. Investigators have not found evidence that any of the information accessed was sold or disseminated.
Capital One data breach: What’s the cost of data hacks for customers and businesses?
Capital One data breach fallout: How to protect yourself
Thompson “created scanning software that allowed her to identify customers of a cloud computing company who had misconfigured their firewalls, allowing outside commands to penetrate and access their servers,” according to the indictment.
Thompson also used stolen computer power to mine cryptocurrency for her own benefit, a practice known as “cryptojacking,” the release said.
The federal charges for wire fraud and computer data theft carry penalties of up to 25 years in prison.
At a hearing Friday in Seattle, U.S. Magistrate Judge Michelle Peterson ordered Thompson to remain in custody pending trial because she is a flight risk and poses a physical danger to herself and others. She was first arrested on the Capital One breach July 29.
Peterson said Thompson’s “bizarre and erratic” behavior makes her a risk. The judge also said Thompson has no stable employment, residence or ties to the community and has stated that she wanted to die.
Capital One said 140,000 Social Security numbers and 80,000 bank account numbers were obtained in the breach but that no credit card account numbers or log-in credentials were compromised.
At least 40 lawsuits have been filed in the U.S. against Capital One following the breach, saying it failed to protect consumers. Eight other suits were filed in Canada.
Capital One said free credit monitoring and identity protection will be available to everyone affected.
Thompson is scheduled to be arraigned on the indictment Sept. 5 in U.S. District Court in Seattle.
Contributing: Associated Press
Follow Kelly Tyko on Twitter: @KellyTyko