A former Seattle Amazon Web Services (AWS) engineer has been found guilty of hacking into customers’ cloud storage systems and stealing data linked to the massive 2019 Capital One breach, which exposed personal information including names, addresses, phone numbers, emails, dates of birth, and self-reported incomes of approximately 100 million Americans and 6 million in Canada.
Paige Thompson, 36 was found guilty on Friday (June 17) of seven federal crimes, including wire fraud, which carries up to 20 years in prison. The other charges, illegally accessing a protected computer and damaging a protected computer, are punishable by up to five years in prison. A jury found Thompson not guilty of aggravated identity theft and access device fraud after 10 hours of deliberations.
A press release from the Department of Justice (DOJ) states that Thompson, who worked under the name “erratic” online, created a tool to search for misconfigured accounts on Amazon Web Services. That allowed her to hack into accounts from more than 30 Amazon clients, including Capital One. “She wanted data, she wanted money, and she wanted to brag,” Assistant United States Attorney Andrew Friedman said of Thompson in closing arguments during the week-long trial.
Capital One had been fined $80 million for allegedly failing to protect users’ data. In December 2021, they agreed to settle with those affected for $190. The breach was one of the largest ever recorded. According to the complaint, the data stolen exposed about 120,000 social security numbers and about 77,000 bank account numbers.
“Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself,” said United States Attorney Nick Brown.
United States District Judge Robert S. Lasnik has set Thompson’s sentencing hearing for September 15, 2022.