Paige Thompson’s three roommates were startled when a battering ram slammed into their metal security door at 6 a.m. Monday as FBI agents raided their three-bedroom South Seattle house to arrest the 33-year-old accused Capital One hacker.
All five residents of the house were brought outside and handcuffed. Two of them — Thompson and Park Quan, the 66-year-old homeowner — were arrested, Thompson on a federal warrant on a charge of computer fraud and abuse, and Quan for allegedly being a felon in possession of a firearm. Twenty firearms, both assault-style rifles and handguns, were removed from the house, court records show.
Thompson is accused of exploiting a faulty configuration in Capital One’s firewall to access the company’s secure data and steal personal information about tens of millions of customers, according to the criminal complaint. The massive data breach included approximately 120,000 Social Security Numbers and approximately 77,000 bank account numbers.
On Tuesday, Thompson’s three roommates replayed surveillance footage from video cameras around the house showing the moment armed agents in camouflage descended on the property. Thompson’s bedroom and much of the house was still in disarray from being searched. Outside, windows in an old Airstream recreational vehicle and a large box truck had been covered with plastic after agents smashed them while checking if they were occupied.
“It was scary. I had M4s in my face,” said one of the roommates, a Navy veteran, identifying the weapons the agents were armed with. She and her two roommates, who both served in the Army, didn’t resist being handcuffed and detained. But they said Thompson ducked back into her bedroom after seeing the agents, saying she didn’t want to deal with it.
The roommates, who like Thompson are transgender women, said she used to be a systems engineer at Amazon but lost her job in 2016 after she began drinking at work to deal with harassment from a co-worker. She hasn’t worked since, the roommates said, and was living at the house rent-free.
“Paige is very, very skilled. If she wanted to, she could hack foreign governments,” said another of the roommates, who like the other two asked not to be named to protect their privacy and because they’re still shaken from Monday’s raid. “I didn’t know exactly what she had done … We never heard anything about it. She probably didn’t think it was a big deal.”
She described Thompson, who is also know by the online handle “erratic,” as a “white hat hacker” who tried to warn Capital One about vulnerabilities in their firewall but was blown off. Thompson posted links to the company’s data “to teach them a lesson,” she said.
The roommates said they knew Quan had guns in the house but had no idea he was a felon and wasn’t legally allowed to have them.
“We were astonished when they took him,” one roommate said of Quan’s arrest. “They took the guns and Paige’s computer.”
A federal judge ordered Thompson held in custody on Monday, with a bail hearing set for Thursday. Court records show Thompson has been appointed a federal public defender, but he did not return a phone call on Tuesday.
Also Tuesday, a woman who answered the phone at a listing for Thompson’s mother in Arkansas said, “No comment,” then hung up when contacted by a reporter.
Capital One is a major customer of Amazon Web Services (AWS), the Seattle commerce giant’s cloud computing business which provides companies the ability to rent computing and storage power on Amazon servers. AWS’ website touts Capital One’s choice of its cloud computing services, quoting its chief information officer saying, “We believe we can operate more securely in their cloud than in our own data centers.”
While the federal complaint against Thompson does not name AWS, it does say that Thompson worked at the cloud hosting provider Capital One uses. Thompson’s resume, posted on multiple online platforms, indicates she was a level 4 systems engineer at Amazon from May 2015 to September 2016, where she worked on the “build-out and deployment of new load balancing capacity for S3” — AWS’s Simple Storage Service, which allows AWS customers to store and access data from anywhere online.
Amazon had no comment.
A person familiar with the matter said there was no breach or malfunction in the underlying AWS infrastructure, and the fact that the accused perpetrator had worked for AWS was not relevant to the hack. Instead, the hacker apparently exploited Capital One’s faulty firewall. Capital One said it was informed of the vulnerability July 17 and discovered the hack exposed personal information of as many as 106 million individuals in the U.S. and Canada.
Thompson’s posts on Twitter suggest she may have accessed other data stored on AWS. Computer security researcher and reporter Brian Krebs reviewed posts on a Slack channel attributed to “erratic.” One post, on June 27, lists “various databases she found by hacking into improperly secured Amazon cloud instances,” Krebs wrote on his KrebsonSecurity blog, adding that a screenshot she posted suggests “she may also have located tens of gigabytes of data belonging to other major corporations.”
That said, Krebs saw no postings suggesting Thompson “sought to profit from selling the data taken from various Amazon cloud instances she was able to access.” Capital One, in its statement, said it was “unlikely that the information was used for fraud or disseminated by this individual,” but it continues to investigate.
Aife Dunne, an online friend of Thompson’s, told The New York Times Thompson struggled with her transition to a woman, discussed suicidal thoughts, and would sink into dark phases with little support outside her online communities.
According to her online resumes, Thompson studied software engineering at Bellevue College and moved through nine Seattle-area IT jobs over the last 14 years. In recent weeks, Thompson posted photographs of the Viaduct demolition, her various technology projects and of her cat Millie, who died last week.
She also wrote about having a therapist appointment and made reference to something momentous that was going to result in her losing her freedom.
“After this is over I’m going to go check into the mental hospital for an indefinite amount of time,” she wrote on Twitter. “I have a whole list of things that will ensure my involuntary confinement from the world. The kind that they can’t ignore or brush off onto the crisis clinic. I’m never coming back.”
Information from The New York Times is included in this story.