A former Amazon Web Services Inc. employee has been convicted in the theft of more than 100 million records belonging to Capital One Financial Corp. in 2019.
Paige A. Thompson, who worked for AWS as an engineer until 2016, was found guilty of seven charges, including wire fraud, illegally accessing a protected computer and damaging a protected computer. However, Thompson was not found guilty of aggravated identity theft and access device fraud.
Prosecutors argued that Thompson, using the name “erratic” online, created a tool to search for misconfigured AWS accounts. This allowed her to hack into accounts of more than 30 AWS customers, including Capital One and steal their data.
Additional companies and organizations accessed by Thompson included UniCredit SpA, Vodafone plc, Ford Motor Co., Michigan State University and the Ohio Department of Transportation.
It was claimed that Thompson downloaded more than 20 terabytes of data. In the case of Capital One, stolen data primarily consisted of credit card applications that included credit card applications that included names, addresses, zip and postal codes, phone numbers, email addresses, dates of birth and self-reported income. The applications also included “portions of credit card customer data,” including credit scores, credit limits, balances, payment history, contact information and “fragments of transaction data.”
In addition, 140,000 Social Security numbers were stolen along with 80,000 linked banked account numbers of US customers, while 1 million Social Security Numbers were stolen from Canadian Capital One customers.
Prosecutors also claimed that Thompson also used her access to some of the servers to mine for cryptocurrency. “She wanted data, she wanted money and she wanted to brag,” Assistant United States Attorney Andrew Friedman said in close arguments of the trial.
The bragging reference is relevant as Thompson’s downfall was the result of her boasting online about how she built the scanning tool to look for misconfigured accounts. She also posted some of the data on GitHub under her own name and made no attempts to hide her identity.
“Ms. Thompson used her hacking skills to steal the personal information of more than 100 million people and hijacked computer servers to mine cryptocurrency, ”US Attorney Nick Brown said in a statement. “Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself.”
Wire fraud is punishable by up to 20 years in prison, while accessing a protected computer and damaging a protected computer attracts up to five years in prison. Thompson’s sentencing hearing is scheduled for Sept. 15.