Former Amazon Worker Convicted of Capital One Data Breach

A former Amazon Web Services (AWS) employee was convicted of multiple crimes connected to one of the largest US data breaches of all time.

Paige Thompson, 36, acting under the handle ‘erratic,’ obtained the personal information of more than 100 million people in the infamous Capital One hack in 2019 using a tool she built that searched for misconfigured accounts on AWS.

For context, the data breach prompted the company to reach a $190m settlement with affected customers. Further, the Treasury Department fined the company $80m for failing to protect customer data.

After obtaining the data, the software engineer mined it and installed cryptocurrency miners on some AWS servers.

Based on these events, a federal jury on Friday found Thompson guilty of seven federal crimes, including wire fraud, illegally accessing a protected computer and damaging a protected computer. 

“Ms. Thompson used her hacking skills to steal the personal information of more than 100 million people, and hijacked computer servers to mine cryptocurrency,” said US Attorney Nick Brown in a press release.  

“Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself,” he added.

She was found not guilty, however, of aggravated identity theft and access device fraud after her attorneys argued that she struggled with mental health issues and never intended to profit from the data she obtained. Further, they claimed there was no “credible or direct evidence that a single person’s identity was misused.”

At the same time, court documents hint that the former AWS software engineer spent hundreds of hours advancing her scheme, bragging about her illegal conduct to others via text or online forums.  

“She wanted data, she wanted money, and she wanted to brag,” Assistant US Attorney Andrew Friedman said in closing arguments. 

Thompson’s ultimate sentence is expected on September 15, after Judge Lasnik considers the sentencing guidelines and other statutory factors.

Wire fraud is punishable by up to 20 years in prison, while illegally accessing a protected computer and damaging a protected computer is punishable by up to five years.

What’s Hot on Infosecurity Magazine?