A 36-year-old former Amazon employee was convicted of wire fraud and computer intrusions in the U.S. for her role in the theft of personal data of no fewer than 100 million people in the 2019 Capital One breach.
Paige Thompson, who operated under the online alias "erratic" and worked for the tech giant till 2016, was found guilty of wire fraud, five counts of unauthorized access to a protected computer, and damaging a protected computer.
The seven-day trial saw the jury acquitted her of other charges, including access device fraud and aggravated identity theft. She is scheduled for sentencing on September 15, 2022. Cumulatively, the offenses are punishable by up to 25 years in prison.
"Ms. Thompson used her hacking skills to steal the personal information of more than 100 million people, and hijacked computer servers to mine cryptocurrency," said U.S. Attorney Nick Brown. "Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself."
The incident, which came to light in July 2019, involved the defendant breaking into Amazon's cloud computing systems and stealing the personal information of roughly 100 million individuals in the U.S. and six million in Canada. This consisted of names, dates of birth, Social Security numbers, email addresses, and phone numbers.
It was made possible by developing a custom tool to scan for misconfigured Amazon Web Services (AWS) instances, allowing Thompson to siphon sensitive data belonging to over 30 entities, counting Capital One, and plant cryptocurrency mining software in the unlawfully accessed servers to illegally mint digital funds.
Furthermore, the hacker left an online trail for investigators to follow as she boasted about her illicit activities to others via text and online forums, the Justice Department noted. The data was also posted on a publicly accessible GitHub page.
"She wanted data, she wanted money, and she wanted to brag," Assistant U.S. Attorney Andrew Friedman told the jury in the closing arguments, according to a press statement from the Justice Department.
Capital One was fined $80 million by the Office of the Comptroller of the Currency (OCC) in August 2020 for failing to establish appropriate risk management measures before migrating its IT operations to a public cloud-based service. In December 2021, it agreed to pay $190 million to settle a class-action lawsuit over the hack.