Paige Thompson faces wire fraud and computer fraud and abuse charges in the indictment announced Wednesday. She's scheduled to be arraigned Sept. 5. Her lawyer did not immediately respond to an email request for comment.
In addition to Capital One, the indictment identifies three other entities that were targets. They include a state agency and a public research university, both outside Washington state, and a telecommunications conglomerate located outside the U.S.
Between March and July of this year, Thompson created scanning software that allowed her to identify customers of a cloud computing company that had misconfigured their firewalls, allowing someone to access their servers, according to the indictment.
Once she had access, Thompson stole data and used the computer power to "mine" cryptocurrency for her own benefit, a practice known as "cryptojacking," the indictment said. Officials say Thompson, 33, copied data from servers that Capital One rented from a cloud computing company, including personal information from about 100 million customers who had applied for credit cards from Capital One.
At least 40 lawsuits have been filed against Capital One Financial Corporation, claiming the company failed to protect its customer's personal information. Thompson was arrested on July 29 after she allegedly talked about the hack on the site GitHub. Another user alerted Capital One to her posts and the financial services company confirmed that there had been a data intrusion, so it contacted the FBI. Investigators said they traced the hack back to Thompson.
She was arrested and her electronic devices were seized from her home in Seattle's Beacon Hill neighborhood. Investigators said they did not find any evidence that Thompson sold or disseminated any of the information she had gathered.
The charges carry penalties of up to 25 years in prison. U.S. Magistrate Judge Michelle Peterson ordered Wednesday that Thompson remain in custody pending trial. Peterson said after a detention hearing last week that Thompson is a safety risk to herself and others. The judge cited a Seattle police report alleging that Thompson threatened a social media office in California.
On May 21, the Mountain View Police Department opened a "terrorist threat" investigation after one of Thompson's former coworkers reported that Thompson sent a message saying she was "going to California to shoot up (REDACTED) office I hope you are not there," according to the report acquired by The Associated Press on Thursday.
The name of the social media company was redacted but the address was nearly identical to an address for LinkedIn. A message seeking comment from LinkedIn was not immediately returned. Thompson's lawyers later told the judge that Seattle police investigated the threat and concluded that she "had no monetary or transportation means to come to California."
__ Follow Martha Bellisle at https://twitter.com/marthabellisle