A former Amazon Web Services (AWS) engineer has been found guilty of hacking into customers’ cloud storage systems and stealing data linked to the massive 2019 Capital One breach. A US District Court in Seattle convicted Paige Thompson of seven counts of computer and wire fraud on Friday, a crime punishable by up to 20 years in prison.
Thompson, who also went by the name “Erratic” online, was arrested for carrying out the Capital One hack in July 2019. The breach was one of the largest ever recorded, exposing the names, birth dates, social security numbers, email addresses, and phone numbers of over 100 million people in the US and Canada. Capital One has since been fined $80 million for allegedly failing to secure users’ data and settled with affected customers for $190 million.
A press release from the Department of Justice (DOJ) states Thompson developed a tool that scanned AWS for misconfigured accounts and then leveraged these accounts to gain access to the systems of Capital One and dozens of other AWS customers. Prosecutors also say Thompson “hijacked” companies’ servers to install cryptocurrency mining software that would transfer any earnings to her personal crypto wallet. She then “bragged” about her misdoings in online forums and over text messages.
At the time, there was some debate as to whether Thompson was an ethical hacker or security researcher due to her unusual candidness about her role in the Capital One attack online — she posted customers’ sensitive data on a public GitHub page and shared the details of the breach on Twitter and Slack. Earlier this year, the Justice Department made it clear that it wouldn’t prosecute security researchers under the Computer Fraud and Abuse Act. But US prosecutors obviously weren’t convinced Thompson’s actions fell under this exception.
“Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself,” US attorney Nick Brown said in a statement. Thompson’s sentencing hearing will take place on September 15th, 2022.
Source: The Verge