The U.S. Department of Justice has filed additional charges against Paige A. Thompson, the former Amazon Web Services Inc. engineer who allegedly hacked Capital One Financial Corp. in 2019, resulting in the theft of 100 million customer records.

Thompson was initially indicted in August 2019 and was accused of hacking Capital One and a range of other companies and organizations. Those companies and organizations include UniCredit S.p.A, Vodafone plc, Ford Motor Co., Michigan State University and the Ohio Department of Transportation.

The methodology in each hacking case is said to have been the same as with the Capital One breach. Thompson allegedly created scanning software while working at AWS to allow her to identify customers who had misconfigured their access. Having detected that, she then allegedly stole their customer databases.

In the case of Capital One, Thompson allegedly stole data from a misconfigured Amazon S3 storage instance. Thompson’s intent to steal and share stolen data has always been unclear, although Thompson was also allegedly involved in maliciously installing cryptomining scripts on compromised servers as well.

Thompson was initially indicted on two counts of wire fraud and computer fraud. As of now, the Justice Department has added seven new charges, according to court documents filed June 17 and first reported by The Record Tuesday.

The new charges are six counts of computer fraud and abuse and one count of access device fraud. Although the court document names Capital One, the rest of Thompson’s alleged victims are not named.

Along with a U.S. state agency, a telecommunications company outside the U.S. and a U.S. public research university per the original indictment, new unnamed targets are listed in the new indictment. They include a digital rights management company, a data and threat protection services provider, a technology company that provides solutions for call centers and a company that providers higher-education learning technology.

Although the number of Thompson’s alleged victims may have increased, the timeline has not changed. Prosecutors still allege that Thompson used her access while working at AWS to detect misconfigured S3 instances and then exploit the exposed data.

Prosecutors claim that Thompson downloaded more than 20 terabytes of data belonging to more than 30 companies. Thompson has pleaded not guilty and was released on a pre-trial bond in August 2019. The trial is set for March 2022 after being delayed during COVID-19. If found guilty, Thompson could be sentenced to up to 20 years in jail.

Photo: Tdorante10/Wikimedia Commons