Former Amazon employee Paige Thompson, who was arrested past month in relation to the Money Just one facts breach, has been accused of hacking not only the U.S. credit rating card issuer, but also additional than 30 other companies.
An indictment unsealed on Wednesday revealed that Thompson not just stole data from misconfigured servers hosted with a cloud-computing business, but also employed the computing electricity of hacked servers to mine for cryptocurrency, a apply normally identified as “Cryptojacking.”
Thompson, identified on the net as “erratic,” was arrested by the FBI on July 29 regarding a huge breach in Money Just one Monetary Corp that exposed the personalized details of extra than 100 million credit history card candidates in the United States and 6 million in Canada.
The stolen data bundled somewhere around 140,000 Social Security figures and 80,000 financial institution account quantities joined to United States consumers, and 1 million Social Coverage numbers belonged to Canadian citizens, alongside with some customers’ names, addresses, dates of birth, credit score scores, credit limitations, balances, payment history, and speak to information and facts.
Regulation enforcement turned conscious of Thompson’s activity soon after she posted details relating to her theft of Money 1 facts on her GitHub account.
However, a federal grand jury yesterday charged Thompson with a overall of two counts—one count of wire fraud and one rely of personal computer fraud and abuse—for illicitly accessing info on more than 30 other entities, such as Money A single, U.S. Division of Justice (DOJ) mentioned.
Though the indictment [PDF] did not title the associated cloud-computing company, it is really really very likely to be Amazon as Thompson beforehand labored for Amazon World wide web Products and services, which presents cloud computing services to Money One amid other people.
But it ought to also be observed that Amazon Website Providers was not compromised in any way due to the fact Thompson acquired obtain to the cloud server due to Money One’s misconfiguration and not via a vulnerability in Amazon’s infrastructure.
The indictment also did not give names of the other 30 victims, but it did explain 3 of the qualified businesses as a point out company outside the house the Point out of Washington, a telecommunications conglomerate exterior the U.S. and a community investigation university outside the house the Condition of Washington.
Investigators have found no evidence of Thompson selling or disseminating any of the stolen information.
The 33-12 months-previous Seattle-primarily based software engineer remains in custody and is scheduled to be arraigned on the indictment in U.S. District Court docket in Seattle on September 5. She could facial area up to 25 a long time in jail if convicted.