A former Amazon Web Services (AWS) engineer has been found guilty of hacking into customer cloud storage systems and stealing data related to the massive 2019 Capital One breach. A U.S. court in Seattle on Friday convicted Paige Thompson on seven charges. counts of computer and wire fraud, a crime punishable by up to 20 years in prison.
Thompson, who also went by the name “Erratic” online, was arrested for carrying out the Capital One hack in July 2019† The breach was one of the largest on record, exposing the names, dates of birth, social security numbers, email addresses and phone numbers of more than 100 million people in the US and Canada. Capital One has since been fined $80 million for allegedly failing to secure user data and settled with affected customers for $190 million†
A press release from the Ministry of Justice (DOJ) states that Thompson developed a tool that scanned AWS for misconfigured accounts and then used those accounts to access the systems of Capital One and dozens of other AWS customers. Prosecutors also say Thompson “hijacked” companies’ servers to install cryptocurrency mining software that would transfer any earnings to her personal crypto wallet. She then “bragged” about her misdeeds on online forums and via text messages.
At the time, there was some debate about whether Thompson was an ethical hacker or security researcher because of her unusual candor about her role in the Capital One attack online — she posted sensitive customer data on a public GitHub page and shared the details of the breach. on Twitter and Slack. Earlier this year, the Justice Department made it clear that it would not prosecute security researchers under the Computer Fraud and Abuse Act. But US prosecutors were clearly not convinced that Thompson’s actions fell under this exception.
“Instead of being an ethical hacker trying to help companies with their computer security, she took advantage of mistakes to steal valuable data and try to enrich herself,” US attorney Nick Brown said in a statement. Thompson’s sentencing hearing will be September 15, 2022.