UPDATED 20:19 EST / JUNE 20 2022

SECURITY

Former AWS employee convicted in 2019 Capital One hack

A former Amazon Web Services Inc. employee has been convicted in the theft of more than 100 million records belonging to Capital One Financial Corp. in 2019.

Paige A. Thompson, who worked for AWS as an engineer until 2016, was found guilty on seven charges, including wire fraud, illegally accessing a protected computer and damaging a protected computer. However, Thompson was not found guilty of aggravated identity theft and access device fraud.

Prosecutors argued that Thompson, using the name “erratic” online, created a tool to search for misconfigured AWS accounts. This allowed her to hack into accounts of more than 30 AWS customers, including Capital One and steal their data.

The additional companies and organizations accessed by Thompson included UniCredit S.p.A, Vodafone plc, Ford Motor Co., Michigan State University and the Ohio Department of Transportation.

It was claimed that Thompson downloaded more than 20 terabytes of data. In the case of Capital One, the stolen data primarily consisted of credit card applications that included names, addresses, zip and postal codes, phone numbers, email addresses, dates of birth and self-reported income. The applications also included “portions of credit card customer data,” including credit scores, credit limits, balances, payment history, contact information and “fragments of transaction data.”

In addition, 140,000 Social Security numbers were stolen along with 80,000 linked banked account numbers of U.S. customers, while 1 million Social Insurance Numbers were stolen from Canadian Capital One customers.

Prosecutors also claimed that Thompson also used her access to some of the servers to mine for cryptocurrency. “She wanted data, she wanted money and she wanted to brag,” Assistant United States Attorney Andrew Friedman said in the close arguments of the trial.

The bragging reference is relevant as Thompson’s downfall was the result of her boasting online about how she built the scanning tool to look for misconfigured accounts. She also posted some of the data on GitHub under her own name and made no attempts to hide her identity.

“Ms. Thompson used her hacking skills to steal the personal information of more than 100 million people and hijacked computer servers to mine cryptocurrency,” U.S. Attorney Nick Brown said in a statement. “Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself.”

Wire fraud is punishable by up to 20 years in prison, while accessing a protected computer and damaging a protected computer attracts up to five years in prison. Thompson’s sentencing hearing is scheduled for Sept. 15.

Photo: Tdorante10/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU