Capital One hack shows difficulty of defending against irrational cybercriminals

Software engineer Paige Thompson was arrested in late July for an unprecedented hack into a cloud server containing the personal data of over 100 million people who had filed credit card applications with leading financial institution Capital One. Thompson, who at the time of her arrest ran a hosting company called Netcrave Communications, had held a series of engineering jobs, including a stint at Amazon Web Services (AWS) in 2015 and 2016, where she presumably gained the skills to exploit a vulnerability in an application firewall on Capital One’s AWS server.

Thompson’s ultimate theft of the 100 million customer records, 140,000 Social Security numbers and 80,000 linked bank details of Capital One customers was apparently only one of her many hacks. In a legal filing related to keeping her remanded into custody, federal prosecutors say she hit more than 30 other targets, including companies and educational institutions.

Online postings by Thompson obtained by the Wall Street Journal suggest that those other targets might include Ford Motor Co., UniCredit (Italy’s largest bank), and Michigan State University. Thompson’s hacking efforts stand apart from the vast majority of major hacks over the past decade in because her motivations appeared not to be political or financial or nation-state directed.

Her actions also stand apart from other major breaches and data thefts because Thompson, unlike most “black hat” hackers, left an extensive trail of public evidence that she was not only engaged in these malicious activities, but that she also had Capital One specifically in her sights. Thompson was active on her now-removed Twitter account and on June 18 wrote “I’ve basically strapped myself with a bomb vest, f*cking dr0pping capitol ones dox and admitting it.”

Later, on July 5, Thompson wrote “I have a whole list of things that will ensure my involuntary confinement from the world,” she wrote. “The kind that they can’t ignore or brush off onto the crisis clinic. I’m never coming back.”

Her oversharing wasn’t restricted to Twitter. The GitHub address Thompson used to post stolen Capital One files includes the full name “Paige A. Thompson” with a link to her actual resume. Under the alias “erratic” (which was also her Twitter account handle) connected to her real name, Thompson ran a hacker Meetup group with a Slack channel through which Thompson claimed to have files associated with the Capital One hack and made other incriminating statements that could be tracked back to her.

Defending against unusual threats

Thompson’s plans and mental health struggles were out in the open for all to see. Friends say she struggled with depression and the challenges of being a trans woman. The FBI said she had threatened to “shoot up” an unnamed California social media company.

With all the warning the question arises: Was there any way Capital One or AWS or any other company could have taken proactive steps to protect themselves from a skilled hacker like Thompson whose motivations appears to have been heavily influenced by her mental health problems, if not originated in them?

John McAlaney, associate professor in psychology at Bournemouth University in the UK, has studied the role of human factors in cybercrime, hacktivism and online social protest. He says it can be very difficult to establish defenses against hackers who don’t have the usual motivations “because the choice of target is not particularly logical.” For some hackers, the motivation is financial, so they choose targets that have money or data, he says.

Some malicious hackers seek prestige, to be the best among hackers. Others do it because they think it’s funny or are seeking some kind of public relations benefit.

At other times the target is “completely random” and the hacker chooses it because “the company looks like an easy target,” according to McAlaney. Therefore, because of all these motivations, one of the most important steps a company can take to defend itself against a hacker like Thompson is to “be very aware of their own reputation and not be seen as prone to hackers,” he says.

Look for signs of employee stress

If the would-be hacker is an internal employee, watch out for stressed-out workers. “People showing stress at work can be a warning sign,” McAlaney says. Although very few stressed-out employees turn into malicious actors, “an external hacker can exploit people who are stressed at work. That’s exactly the thing a hacker is going to target.”

It helps to spot troubled employees or even external bad actors if companies have safe and effective means to let management know of warning signs. “You also have to have systems where people can report things in a safe way without thinking their own jobs are endangered,” McAlaney says.

As to whether Thompson, with her public oversharing, was subconsciously begging to be caught, McAlaney says that could be the case. He also noted that “with a lot of [malicious] hackers there is a lot of confidence to the point of being arrogant. There are a lot of hackers who overestimate their own ability, and they underestimate the ability of law enforcement to identify them.”

Professor Jason Hong of the School of Computer Science and the Human Computer Interaction Institute at Carnegie Mellon University says that Thompson poses “an unusual kind of insider threat, one that isn’t driven by the typical factors of money, prestige, or revenge.”

He also said he’s “never heard of any good kinds of defenses against this.” Having good processes such as code reviews and backups will always help, but eventually you need to have some level of trust in your employees, otherwise they wouldn’t be able to get their work done.”

In the end, however, it’s possible that Thompson herself doesn’t know why she hacked Capital One, particularly given her emotional distress at the time of the hack. In a study of hacker motivations published in the Cybercrime Journal, malicious “hackers report motivations that they have frequently heard about and subsequently incorporated in their own mental set of representations of these gut-feelings,” meaning they made up their motivation for hacking after the fact.

McAlaney agrees. A lot of time hackers will create “a reason, political or ideological” after their crime “but a lot of times its random.”