Front Burner - Who is the alleged Capital One hacker?
Episode Date: August 1, 2019A massive data breach at Capital One has led to the arrest of a Seattle-based woman who allegedly stole the private information of more than 100 million people, including 6 million Canadians. Today on... Front Burner, Greg Otto, Editor-in-Chief of CyberScoop, brings us the story of accused hacker Paige Thompson and explains how the crime was done and why experts say a trail of clues was left for the FBI.
Transcript
Discussion (0)
In the Dragon's Den, a simple pitch can lead to a life-changing connection.
Watch new episodes of Dragon's Den free on CBC Gem.
Brought to you in part by National Angel Capital Organization,
empowering Canada's entrepreneurs through angel investment and industry connections.
This is a CBC Podcast.
Should we rethink our relationship with technology in the midst of the AI revolution?
Sleepwalkers, a podcast from iHeartRadio,
explores the strange consequence of human interaction with artificial intelligence.
With secret labs and expert guests, co-hosts Oz Wallachian and Cara Price,
talk about how new technology is changing everything,
from falling in love to diagnosing cancer.
Listen to Sleepwalkers on your favorite podcast app or wherever you get FrontBurner.
Hey, I'm Jamie Poisson.
We woke up to a loud bang and one of the housemates, Diane, went to open the door and to about 10 M4s in her face and an FBI raid team and they were cuffing her.
On Monday, a woman was arrested in Seattle for allegedly pulling off one of the biggest financial hacks in history.
pulling off one of the biggest financial hacks in history. We're talking SIN numbers, bank account numbers, addresses, credit card charges from the bank Capital One. 100 million Americans were
affected. 6 million Canadians. It is wild. Greg Otto reports on hacking and cybersecurity as
editor-in-chief of CyberScoop. He's here with me now from Washington to explain how on earth the hacker did this, why she got caught, and what do you do when your most
sensitive information gets targeted? That's today on FrontBurner.
Greg, hello. Thank you so much for being with us today.
Thank you for having me.
So can we start with Paige Thompson, the person who's allegedly at the center of this?
What do we know about her so far?
So Paige Thompson is a 33-year-old software engineer that has seemingly bounced around from job to job.
Interestingly enough, she actually spent time working for Amazon as a systems engineer on their cloud
computing platform. She has lived in Washington for some time, and recently it has been brought
to light. She is a transgender woman that had spent a lot of time online talking about that,
as well as a lot of time talking about a lot of nerdy technical things when it
comes to cloud computing, network computing, cybersecurity, hacking, all different types of
technological know-how. And it's clear from looking at some of her other social media profiles,
it seems like she was a pretty astute engineer and a pretty astute on how to poke around and get inside and outside
all of these cloud instances that she had worked with before.
Thompson's roommates want to protect their identities.
They said she'd been unemployed since leaving Amazon
and spent most of her time at home on the computer.
She told me she worked at Amazon and she, when she was working on the servers there,
And she when she was working on the servers there that she did some breach hacking there just to just to see if there were gaps that she could fill.
But that was it.
Let's talk about what she's accused of doing.
Sure. What she's accused of doing from a legal perspective, she has been charged with one count of computer fraud and abuse. And that's under the Computer Fraud and Abuse Act, which is a really fundamental law when it comes to what goes on in the cybersecurity space in America. But she's charged with taking all this information from Capital One and that has run afoul of this law.
But so the way that this was discovered is that she had been pretty brazen with how she talked about what she did in terms of taking that information.
Thompson, who reportedly goes by the online handle Erratic, boasted about the hack, posting, I've basically strapped myself with a bomb vest, dropping Capital One's docs and admitting it. The reason this came to Capital One's attention was that somebody else had saw on her GitHub page that there was a bunch of information that looked like
sensitive Capital One information. And that person turned around and emailed a link to Capital One
through a vulnerability disclosure email and said, hey, guys, you might want to look at this. This
looks like your sensitive information is just out in the public in GitHub,
and you probably don't want that to happen.
So check that out.
And it turned out it was, and everybody moved from there.
And this is months after she does the initial hack, right?
Yes, this was all of two weeks ago.
I believe the date was July 17th that Capital One got that email to say,
you better take a look at this. I think
somebody took all of this information from your system. So you mentioned Amazon and GitHub,
but let's really get into how she was able to do this. So what she did, according to the FBI complaint, she managed to get around a firewall that Capital One had set up.
It looks like Capital One had some misconfigurations in the firewall.
And there was a big hole in the fence, basically.
But it wasn't due to negligence, necessarily.
It seems like, you know, building these digital fences are hard.
It is very, very hard.
And she was able to pull all of this information out of Capital One's systems.
I mean, beyond the SIN numbers, we're talking about Social Security numbers and we're talking
about just a ton of personally identifiable information, PII for short.
ton of personally identifiable information, PII for short. We're talking names, addresses,
date of birth, credit score, credit history. I think there were some bank account numbers and some actual information that had to do with some transactions that had occurred as well.
So we're talking just a ton of sensitive information here.
It's wild.
Yeah. She pulled all of this information out in March
and then she proceeded to brag about it a little bit.
She was in some Slack channels
that some information security people were in
and also she dumped a bunch of stuff on GitHub as well
and she even used GitHub's like note feature.
GitHub has this feature
where you can share just little text snippets.
And she put some information on there that looked to be information that she took from Capital One.
So here's a screenshot.
It reads in part, I want to get it off my server.
That's why I'm archiving all of it.
We've blurred out the curse words.
And like is GitHub sort of like Dropbox,
but for people who are better at technology? Well, I would say that GitHub is really big
within the coding and the programming community because it's a platform that allows the sharing
of code. So it's not really like Dropbox at all. It's just, can you tell I've never been on GitHub? Okay.
So we've got this hacker, this alleged hacker, Paige Thompson.
She is able to essentially manipulate or exploit this loophole in the firewall around Capital One.
You mentioned she used to work for Amazon.
This may have given her some expertise, although she already has a ton of expertise in this.
She's able to extract this extraordinary amount of data, a huge, huge trove of data.
And then she essentially sits on the data, releasing some of it on her GitHub page, but also just brags about the fact that she did this.
Did she ever talk about why she did this, right? Like, what was the motivation behind it? Because,
you know, you would think that maybe one would want to sell this to some criminal enterprise,
right? Some numbers in bank account numbers are like the perfect recipe to steal
somebody's identity. Right. And that is really what we are trying to figure out collectively,
like journalists, law enforcement, what really was the motive behind this? Because,
look, it's very clear that she was very technically adept when it comes to getting
that information out. Like she has some tweets where she explains, you know,
if I wanted to do this, here's how I would do this. And they are extremely, extremely technical.
They show how, you know, she can manipulate an identity and access management system. And that
takes a certain skill level. Like this isn't just a simple basic computer user that just happened to fall into the wrong file.
Like there was skill there.
But, you know, it anybody that has the technical capabilities
to do this also knows better, like knows how to cover their tracks, knows how to practice what
is known as operational security or OPSEC. Would I be going too far if I said maybe
it looked like a cry for help? No, I don't think so. I mean, look, I don't personally know Paige at all, but from conversations that I've been having with people that knew her, it seems like there were some mental health issues there.
You know, screw this. I'm just going to do this because I'm capable of doing this.
And I really don't know why I would do this other than just to say, you know, I'm just going to burn it all to the ground.
A housemate offered this possible motive.
More or less from what we understand is she did it just because she could. Paige just wanted to see if she could. She had no inferior intentions with the data.
There is this one quote that struck me.
She wrote,
I have a whole list of things
that will ensure my involuntary confinement
from the world.
Yeah, she knew what she was doing.
She knew the gravity of what
taking this data was going to amount to.
I also just want to point out,
of course, she's been charged with these crimes, but has not been convicted in court. Yes, absolutely.
So I'm listening to you talk about this. And, you know, the obvious question that I have is that,
you know, I understand this
hack of Capital One happened a few months ago, and they only recently found out about it. So
how on earth is that possible, that someone is able to obtain this kind of information from
a bank, a very powerful, influential, rich bank, and nobody knows about it.
It really goes to show how hard it is when you are an extremely large organization and you want
to embrace modern technology, how hard it is to get everything right. Capital One is known as being
one of the more technology-focused companies and technology-focused banks in the U.S.
This makes me feel even worse, right?
Right.
And they have a pretty good track record of knowing how to use cloud computing and knowing
how to use all the different technologies that are coming into our lifestyles.
And they do a really, really good job of it.
They have a really good reputation.
lifestyles and they do a really really good job of it they have a really good reputation so when you see stories like this the one question that comes to mind that capital one hasn't answered
yet is how did they not know that a you know a transfer of that amount of data had left their
systems that that is a really big question but we talked about that email where Capital One was made aware that this was even happening.
That was two weeks ago.
So from two weeks ago to getting to the point where somebody is in custody and we've made an announcement to the world that this has taken place, in security terms, that is light speed.
Look, I think if you look at some of the other breaches that have made national and international headlines and you really dig into the timeline, you're talking at most like a six-month window where attackers have had the chance to poke around inside systems, pull what they want to pull, and the company recognizes it. This is one of the largest data breaches in history. It happened at Equifax.
Nearly 143 million accounts were compromised in the U.S. starting in late May.
It took the company until July to discover the hack and another month to inform the public.
So for Capital One to have all of this occur in the span of two weeks really shows just the largesse of these companies more and more as they get into this
technology. This stuff is really, really hard to pin down. It's really, really hard to put
everything in a safe and just say you are going to be 100% secure all of the time. That's just
not the way that this works when it comes to technology. Yahoo's had an information breach
that's affected almost a half billion accounts.
There is growing demand for the federal government to take action over the privacy breach at Desjardins Group.
BMO here and CIBC Simply Financial received tips over the weekend that they had been hacked.
Is it fair though for me to say that perhaps one of the reasons why they were able to move at such life speed
is because she has allegedly left all of these breadcrumbs, because she posted this data on her own GitHub page.
Yes, yes, that absolutely helped. The fact that investigators did not have to look very far to figure out what exactly it was that happened here.
it was that happened here. The GitHub where this information was first posted was under her full name. So her account name was her full name. So all law enforcement had to do was pretty much,
you know, run some other investigations to see where these account names also were pervasive
on the internet and then poked around onto who owned those accounts.
And then we move into the arrest phase.
So it was not a very hard investigation from a law enforcement standpoint.
You mentioned other hacks.
Can you put this hack into context for me?
So when I think of these massive hacks that we've heard about recently, I think of the Sony hack, obviously.
All of these embarrassing emails got released.
Even making racial remarks about President Obama.
Sony employees bashing Adam Sandler's movies.
The hackers who call themselves guardians of peace say they want to block the release of an upcoming movie,
believed to be The Interview,
a comedy about the assassination of North Korea's president.
I think of the Ashley Madison hack,
where a lot of people who were using this site service
to cheat on their spouses were very embarrassed
after their data got released.
Long spreadsheets of partial credit card information,
but more revealing, the corresponding names and home addresses of Ashley Madison users.
And I think of the Equifax data breach, which feels like maybe the most similar
because SIN numbers, birthdates, addresses were also hacked.
Right. And I'm glad that you brought this up
because this is something more and more has a story as has unfolded that it's important to
point out. I think that this hack is really unique in that, look, we can talk about the numbers that
are associated here. And those numbers are big, the 140,000 social security numbers,
140,000 social security numbers, 100 million U.S. residents, 6 million Canadian residents.
But it's not like Equifax 2.0.
And here's the reason why is a lot of what we've seen with like the Sony hacks or Target, Home Depot, Equifax, they are one of two things. They are either nation state hacks where it's a wing of a country doing intelligence or doing espionage,
and they're taking that information for those purposes. Or you look at it from a criminal
perspective where it was criminals hacking into a company to take information and they're going
to sell that on the dark web to other criminals that are in turn going to use it for identity theft. And it's just a for profit type thing. This hack is different for a couple reasons. And one is that clearly Paige Thompson, as the information that we have right now, wasn't doing this to sell it to those criminal forms
so there wasn't any exchange of money so there wasn't any for profit there and there doesn't
seem to be any evidence that this information has been disseminated either to criminal forms or to
any other nation state actors or anything like that this was one person who hacked the information and that information sat on all of
the hardware that that person possessed. Okay, so for the 6 million Canadians right now,
basically the message to them is that you don't need to be too worried about this particular hack,
whereas in contrast, the Equifax hack was far more worrisome.
Absolutely, because nobody knows who is responsible for the Equifax hack still to this day. I mean,
even as they start to cut checks in the U.S. for the class action lawsuit.
This settlement includes at least $575 million and up to $700 million in monetary relief, as well as important conduct provisions.
Nobody knows where that information went or who was responsible for it. You know, in the real world, if Paige Thompson rolled up to Capital One's biggest safe possible,
took a bunch of money and then stuffed it into a van and the paint traps went off in that van
and the cops found that paint van.
That's it.
We have the culprit.
We have the information that the act of stealing occurred.
But this could have been much, much worse.
Although, so far as we can tell, because there at least is some data that was sitting on her GitHub page, right?
And we can't really prove who accessed that.
Right. Yes.
I am curious to hear your thoughts on how you think the American justice system is going to react here. So how seriously do you think these cases are going to be handled?
Do you think that they'll try and make an example out of Paige Thompson?
God, that's a good question.
I'm not sure.
You know, they haven't handled it well. It goes back to this Computer Fraud and Abuse Act law that we were talking about earlier. These cases range all
over the place. The CFAA is known as a very, very esoteric law. It was written in 1986.
I mean, think about all of the technological innovations that we've seen since 1986. We didn't even have cell phones in 1986. Right. Exactly. Yeah, I think they were
just coming online. But I mean, yeah, think about all those technological innovations and the way
that all of this stuff is built and maintained. And we're still sort of protecting it under this
law that was written in the 80s. But you know, you get back to Paige Thompson. I mean, this was somebody who, I mean, I believe that she called the Capital One
information a bomb strapped to her vest. So she knew the ramifications of what she took. And when,
you know, you talk about intent and motive, the justice system does not like it when somebody does something premeditated.
So I would not be surprised if she was made an example of.
But again, the CFAA, there's just so much there that could be debated.
I can't say definitively how this is all going to shake out in court.
Greg, thank you so much.
Absolutely.
So just a note to say that the bail hearing for Paige Thompson is set for tomorrow, Thursday.
And when we recorded this episode, her lawyer, a federal public defender, had yet to comment on the case.
Also, you might want to check out this website that a bunch of us have been messing around with.
It's pretty revealing.
It's haveibeenpwned.com.
Pwned is spelled P-W-N-E-D.
Apparently, it's this word that people use a lot when they're playing World of Warcraft.
I don't know.
But anyways, you can plug in your email address and it will tell you if your personal data has been compromised.
That's it for today.
I'm Jamie Poisson.
Thanks so much for listening to FrontBurner. For more CBC Podcasts, go to cbc.ca slash podcasts.
It's 2011 and the Arab Spring is raging.
A lesbian activist in Syria starts a blog.
She names it Gay Girl in Damascus.
Am I crazy? Maybe.
As her profile grows, so does the danger.
The object of the email was, please read this while sitting down.
It's like a genie came out of the bottle and you can't put it back.
Gay Girl Gone. Available now.