Software engineer Paige Thompson, 33, allegedly boasted about the hack and left crumbs for investigators to follow. She formerly worked for Amazon Web Services, which hosted the Capital One database that was breached.
The hack has led to multiple lawsuits against Capital One. A similar one filed last week in California also included GitHub, which plaintiffs argued did not monitor and respond to hacked data on its website.
The newest lawsuit, which was filed this week in federal court in Seattle, also includes Amazon as a defendant. It argues that the company knew about the vulnerability exploited by Thompson and “did nothing to fix it,” and also violated Washington state’s Consumer Protection Act and Data Breach Disclosure Law.
“The single-line command that exposes AWS credentials on any EC2 system is known by AWS and is in fact included in their online documentation,” according to the complaint, GeekWire reported. “It is also well known among hackers.”
The suit also alleges the companies did not disclose the breach when they learned of it. The proposed class action suit includes plaintiffs from eight states and a nonprofit in Kentucky.
But Mark Bartholomew, a cyber law professor at the University at Buffalo’s School of Law, said that Capital One’s quick response, as well as reports that Thompson didn’t take advantage of the information she took, could hinder the lawsuits.
Although critics have said Amazon hasn’t done enough after the incident, the eCommerce giant said in a statement that none of its services were the underlying cause of the break-in. And Capital One has said that “this type of vulnerability is not specific to the cloud. The elements of infrastructure involved are common to both cloud and on-premises data center environments.”