Ex-Amazon worker found guilty in Capital One breach

Paige Thompson built a tool to find vulnerable AWS accounts, exfiltrate data and plant cryptomining software

Paige Thompson, a 36-year-old former Amazon employee, has been convicted for seven federal crimes by the US District Court in Seattle, all originating from a massive breach at Capital One that affected over 100 million people.

Paige A. Thompson, a software engineer who went by the online pseudonym 'erratic,' was arrested in July 2019, after Capital One reported her activities to the FBI.

Thompson used a tool she created to check AWS accounts for misconfigurations. After identifying vulnerable accounts, she hacked into and downloaded data from over 30 entities, including Capital One bank.

According to the US Attorney's Office, Thompson also used part of her unlawful access to plant cryptomining software on new servers, with the proceeds going to her online wallet.

Thompson was able to obtain more than 100 million credit applications for Capital One, which included nearly 140,000 Social Security numbers as well as 80,000 bank account numbers.

There is no indication that the data was either sold or shared with third parties.

Following a seven-day trial, the Seattle jury found Thompson guilty of wire fraud, five counts of illegal access to a protected computer, and destroying a protected computer.

Other counts against her, such as access device fraud and aggravated identity theft, were dismissed.

Thompson will be sentenced by US District Judge Robert S. Lasnik in September 2022.

"Ms. Thompson used her hacking skills to steal the personal information of more than 100 million people, and hijacked computer servers to mine cryptocurrency," said US Attorney Nick Brown.

"Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself."

According to federal prosecutors, Thompson spent hundreds of hours working on her strategy and bragging about it to others through text and online forums.

"She wanted data, she wanted money, and she wanted to brag," Assistant United States Attorney Andrew Friedman said in closing arguments.

Thompson's lawyers claimed she struggled with mental health issues and never meant to benefit from the information she got, and that there was "no credible or direct evidence that a single person's identity was misused."

According to the Associated Press, Thompson's friends and acquaintances characterised her as a talented programmer and software architect whose conduct reflected her online identity.

Thompson started working for AWS in 2015, but resigned from her position the next year.

Some of Thompson's friends said they think the unemployed woman, who was struggling with serious depression, felt that the hack could bring her attention, respect and a new job.

More than 100 million customers in the United States had their accounts compromised as a result of the breach at Capital One. The firm was issued a financial penalty of $80 million and agreed to pay $190 million to settle consumer disputes.

Politicians also quizzed Amazon about its security practices following the breach.

In a letter addressed to then-CEO Jeff Bezos, Representatives Jim Jordan, Michael Cloud and Mark Meadows expressed their concerns about the data leak and its potential impact.

"The Capital One data was stored on a cloud storage service provided by Amazon Web Services," they wrote. "The outside individual who accessed the data was allegedly a former AWS employee."

Capital One said this week that it was 'pleased with the outcome of the trial' and remains 'thankful for the tireless work of the US Attorney's Office in Seattle and the FBI's Seattle Field Office in prosecuting this important case.'