Capital One and its customers received bad news on Monday evening. The company had been infringed, causing hundreds of thousands of social security numbers and account information to be made public.
The headline is well-known – a large company lacked much sensitive data – but the better you look, the stranger the story is. The alleged hacker, Paige Thompson, also known as & # 39; Erratic & # 39 ;, was caught and loaded at the same time the fracture became public and it did not seem to interest her to hide her traces. We do not know exactly what she did with the data after she received it, but it does not fit the profile of most scammers, who tend to sell such information on underground markets as quickly as possible. At the same time, the initial vulnerability appears to have been more of a wrong server configuration than a full exploit, so some wondered if Thompson was a well-intended investigator who went a little too far. We still do not know what she was looking for when collecting this data, but there are many more questions than answers.
The biggest anomaly is how the fracture was discovered in the first place. According to the federal complaint, the infringement occurred in phases in March and April of 2019. But Capital One did not become aware of the problem until July 17, when someone informed the company that their private data had been uploaded to a public GitHub page. From there, it was easy for researchers to discover whose page it was and how they had obtained the data.
It is hard to exaggerate how unusual this is for an infringement case. Usually the data is only discovered after it has been passed on by different intermediaries, and it is rarely so easy to determine exactly when and how it was taken. It took years to track down all the different people involved in the goal break, to choose an example. The prosecutions revealed a completely different type of organization: a party that made the software, another party that used it to collect credit card information, which was then sold to another group that used it to commit fraud. The prosecution of all those people meant an enormous international effort, focusing on Latvia and Eastern Europe. Thompson, on the other hand, was detained less than a month after the first tip.
We don't know why Thompson decided to put the data on a public GitHub page, but there is reason to believe that she really didn't see what she was doing as a criminal. She has publicly described her techniques on Twitter (that's part of why we know so much about how it happened) and doesn't seem to have been shy about sharing information. The rest of what we know comes from a Slack room maintained by Thompson. I was able to access that Slack room until it came offline yesterday, along with a number of other reporters, and Thompson & # 39; s conversations about the breach were unsettlingly casual. Immediately after an account with the name "Irregular" mentioned the contents of the dump, a friend replied: "sketchy shit … don't go to jail."
Thompson seemed aware of some danger, but not of the extent of the threat. "I want to get it from my server, so I archive everything, lol," Erratic wrote back. "It's all encrypted. I just don't want it."
The technical details of the infringement make it even more complicated. What Thompson did was only possible because Capital One had incorrectly configured its Amazon server. Thompson had worked at Amazon years before, so some describe it as an & # 39; insider threat & # 39 ;. But detecting this kind of wrong configuration is a common pastime for security researchers. (In particular, UpGuard Security has built up a good reputation scan for incorrectly configured servers.) Those wrong configurations are so common and so easy to correct that they are usually not even considered an infringement, although it is of course a delicate matter to check those authorities without breaking any laws.
It can be difficult to see the difference between security investigations and criminal companies from the outside. None of these facts indicate that Thompson is not guilty of her. As long as she took the data, the law doesn't care why she did it. We really don't know why she took over the data or why she saved it for months without reporting the problem to Capital One. We do not know if she has somehow tried to report it or if she has tried to take advantage of the data in a way that has not yet come to light. Thompson himself might have had difficulty knowing which side of the law she was on. But because we describe the problems of Capital One in the same terms as previous infringements, it is a reason to think that it is more complicated than it seems.