Former Amazon Employee Found Guilty of Hacking Capital One and Stealing Data from 100 Million People

A 36-year-old former Amazon Paige Thompson employee was found guilty of hacking into Capital One, which led to the data breach of 106 million people in 2019. Paige Thompson faces up to 25 years in prison on all charges.

Let me remind you that the compromise of the American bank Capital One and the data leakage of 106 million users became known in June 2019. Then the data of users who applied to the bank for a credit card in the period from 2005 to 2019 leaked to the side. This included names, addresses, zip codes, phone numbers, email addresses, dates of birth, and income data.

The leak also affected information about the credit cards of bank customers, that is, data on credit ratings and limits, balances, payment history, as well as contact information and transaction fragments for 23 days in 2016, 2017 and 2018. In addition, it was reported that the attacker gained access to one million Canadian Social Security numbers, more than 140,000 US Social Security numbers, and 80,000 bank account numbers.

We reported that Hacker of Capital One is suspected in compromising data of 30 more companies.

Then, in connection with the Capital One hack, law enforcement authorities detained 33-year-old Seattle resident Paige A. Thompson (known online under the pseudonym Erratic), a former employee of Amazon Web Services Inc.

The fact is that Thompson mentioned the compromise of Capital One in the comments on GitHub, and used the wrong firewall configuration to penetrate the network. Soon, a vigilant user drew attention to Thompson’s words, who notified representatives of the bank about what was happening, which ultimately led to his arrest.

Even worse, after the arrest, it turned out that the case was not limited to the compromise of Capital One alone. So, during a search in Thompson’s house, law enforcement officers seized servers, which revealed not only information stolen from Capital One, but also several terabytes of data stolen from more than 30 other companies, educational institutions and other organizations.

Law enforcement officers did not disclose the names of the affected companies, but, judging by media reports, among them could be Unicredit, Vodafone, Ford, Michigan State University, the Ohio Department of Transportation and so on.

As a result, Paige Thompson was charged with wire fraud, computer fraud and abuse against Capital One and more than 30 other organizations.

Investigators reported that Thompson created a tool with which she scanned the Internet for misconfigured AWS servers that allowed anyone to access the data stored on them. Moreover, according to court documents, Thompson not only stole information, but also used compromised AWS servers to mine cryptocurrency.

In a seven-day trial, the jury acquitted Thompson of a number of charges, including access device fraud and aggravated identity theft, but found guilty, according to the U.S. Department of Justice now.

Sentencing is scheduled for September 15, 2022, but on the totality of the remaining charges, the burglar faces a sentence of up to 25 years in prison. At the same time, her attempts to rest on the fact that she is an ethical hacker and an information security researcher, obviously, were unsuccessful. In court, the prosecution stated that Thompson “wanted [to steal] data, wanted money, and wanted to show off.”