ENTERPRISE

Former Amazon engineer convicted over Capital One hack

20 Jun 2022

Capital One logo in front of a building, with trees behind the logo and grass in front of it. There is a brown and grey path in the front of the image.

Image: © JHVEPhoto/Stock.adobe.com

The prosecution said Paige Thompson used misconfigured Amazon Web Services accounts to hack into Capital One and steal personal data.

A former Amazon Web Services (AWS) software engineer has been convicted of hacking into cloud storage systems and stealing data linked to the massive Capital One breach in 2019.

A Seattle jury found Paige Thompson guilty of wire fraud, five counts of unauthorised access to a protected computer and damaging a protected computer. The charge of wire fraud is punishable by up to 20 years in prison.

The Capital One hack compromised the data of around 100m people in the US and 6m in Canada. Personal information such as names, addresses, postal codes, phone numbers, email addresses and self-reported income were exposed as a result.

Thompson was arrested in July 2019 after Capital One alerted the FBI to her hacking activity.

The Department of Justice said that Thompson, who used the name ‘Erratic’ online, built a tool to scan for misconfigured AWS accounts. She then used these misconfigured accounts to hack in and download the data of more than 30 entities, including Capital One bank.

Prosecutors said Thompson also used her access to plant cryptocurrency mining software on new servers, with the income going into her online wallet.

“Ms Thompson used her hacking skills to steal the personal information of more than 100m people, and hijacked computer servers to mine cryptocurrency,” US attorney Nick Brown said.

“Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself.”

Prosecutors also told the jury that Thompson spent hundreds of hours on the scheme and “bragged” about the conduct to others through texts and online chats.

Thompson’s sentencing hearing will take place on 15 September.

As a result of the 2019 breach, Capital One was fined $80m and settled customer lawsuits for $190m.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com