On Monday night, Capital One and its customers received some very bad news. The company had been violated, and garbage hundreds of thousands of social security numbers and account details became publicly visible. The New York Attorney General is already investigating whether Capital One is negligent, but the broader story is known: a large company missed a lot of sensitive data, and customers had most of the risk.
But the closer you look, the stranger the story is. The alleged hacker, Paige Thompson alias "Erratic", was caught and charged while the breach went public, and she did not seem interested in covering her tracks. We don't know exactly what she did with the data when she got it, but she doesn't fit the profile of most scammers, who tend to sell information like this in underground marketplaces as soon as they can. At the same time, it seems that the initial vulnerability was more of a server misconfiguration than an out-and-out exploit, which led some to wonder if Thompson may have been a well-intentioned scientist who went a little too far. We still don't know what she was looking for to collect this data, but there are still far more questions than answers.
The biggest discrepancy is how the breach was discovered in the first place. According to the federal complaint, the breach occurred in increments over March and April of 201
It is difficult to exaggerate how unusual this is for a criminal case. Usually, the data is only discovered after it has been transmitted through multiple intermediaries, and it is rarely easy to find exactly when and how it was taken. It took years to track down all the different people involved in the target break, to pick an example. Prosecutors revealed a completely different type of organization: a party making the software, another party using it to collect credit card data, which was then sold to another group that used it to commit fraud. To prosecute all these people meant a massive international effort, centered on Latvia and Eastern Europe. In contrast, Thompson was placed in custody less than a month after the first tip.
We don't know why Thompson decided to post the data on a public GitHub page, but there is reason to believe that she really did not see what she did as a criminal. She openly described her techniques on Twitter (that's part of why we know so much about how it happened), and doesn't seem to have been shy about sharing information. The rest of what we know comes from a Slack room maintained by Thompson. I was able to access the Slack room until it went offline yesterday, along with a number of other reporters, and Thompson's conversations around the breach were alarmingly random. Immediately after an account named "Erratic" listed the contents of the dump, a friend replied, "sketchy shit … don't go to jail plz."
Thompson seemed aware of some danger, but not the extent of the threat. "I want to get it from my server, that's why I archive everything, lol," Erratic wrote. "It's all encrypted. But I just don't want it."
The technical details of the breach make it even more complicated. What Thompson did was only possible because Capital One had configured its Amazon server incorrectly. Thompson had worked at Amazon years before, so she was described by someone as an "insider threat." But sniffing out these types of misconfigurations is a common pastime for security researchers. (UpGuard Security in particular has built a good reputation just from scanning for misconfigured servers.) These misconfigurations are so common and so easy to fix that they are usually not even considered a violation, although they obviously confirm these cases without breaking any laws . a delicate business.
It can be difficult to see the difference between security research and criminal activity from outside. None of these facts are an indication that Thompson is not guilty of what she is accused of. As long as she took the data, the law doesn't care why she did it. We really don't know why she took the data or why she held onto it for months without reporting the problem to Capital One. We do not know if she tried to report it in any way, or if she tried to serve the data in ways that have not yet emerged. Thompson may even have had trouble knowing which side of the law she was on. But when we describe Capital One's problems on the same terms as previous violations, there is a reason to believe that this one is more complicated than it seems.