In the United States, a 36-year-old ex-Amazon employee was found guilty of wire fraud and computer intrusions for her involvement in the theft of personal information from over 100 million people in the Capital One hack of 2019.
Paige Thompson, who worked at Amazon until 2016, under the online identity “erratic,” was convicted of wire fraud, five counts of illegally accessing a secured computer, and destroying a protected pc. After a seven-day trial, the jury acquitted her of additional charges, including access device fraud and aggravated identity theft. Her sentencing date is set for September 15, 2022. The charges are punished by up to 25 years in prison when taken together.
“Ms. Thompson used her hacking skills to steal the personal information of more than 100 million people, and hijacked computer servers to mine cryptocurrency,” U.S. Attorney Nick Brown said. “Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself.”
The incident occurred when the defendant broke into Amazon’s cloud computing systems in July 2019 and stole the personal information of approximately 100 million individuals in the US and six million in Canada. Names, email addresses, Social Security numbers, dates of birth, and phone numbers were all included.
Thompson was able to do so by creating a custom tool that scanned for misconfigured Amazon Web Services (AWS) instances, allowing her to steal sensitive data from more than 30 companies, including Capital One, and install cryptocurrency mining software on the illicitly accessed servers to illegally mint digital funds. According to the Justice Department, the hacker also left an internet trail for investigators to follow as she boasted about her illegal acts to others via text and online forums. The data was also made available on a GitHub page that was open to the public.
“She wanted data, she wanted money, and she wanted to brag,” Assistant United States Attorney Andrew Friedman said to the jury in the closing arguments, as per a press statement from the Justice Department.
The Office of the Comptroller of the Currency (OCC) fined Capital One $80 million in August 2020 for failing to implement sufficient risk management procedures before transferring its IT operations to a public cloud-based provider. In December 2021, it decided to pay $190 million to resolve a class-action lawsuit over the attack.