Dive Brief:
- Former Amazon Web Services (AWS) employee Paige Thompson was found guilty of seven federal crimes in connection with the 2019 Capital One data breach involving more than 106 million accounts, regulators announced in a press release Friday.
- Capital One was forced to pay an $80 million penalty last year over a lack of risk assessment processes, and settled customer lawsuits for $190 million as a result of the hack.
- Thompson is scheduled for sentencing Sept. 15, according to the press release.
Dive Insight:
“Ms. Thompson used her hacking skills to steal the personal information of more than 100 million people, and hijacked computer servers to mine cryptocurrency,” U.S. Attorney Nick Brown said in the press release. “Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself.”
Thompson worked as an engineer for AWS, Capital One’s cloud hosting company, until 2016. She created a tool to search for misconfigured AWS accounts, which she used to hack into and download data from over 30 entities, including Capital One, according to the press release.
Operating under the name “Erratic,” Thompson exposed about 120,000 Social Security numbers and 77,000 bank account numbers, CNBC reported.
The data was connected to credit card applications filed between 2005 and 2019, and included information like names, postal codes, birth dates and self-reported income. The hack also laid bare credit scores, credit limits, balances, payment history and fragmented transaction history from 2016 to 2018.
In addition, Thompson inserted cryptocurrency mining software on new servers, and directed the income to her own digital wallet. Thompson bragged about the hack in texts and on online forums.
“She wanted data, she wanted money, and she wanted to brag,” said Assistant U.S. Attorney Andrew Friedman in closing arguments.
Thompson was found guilty of wire fraud, five counts of unauthorized access to a protected computer and damaging a protected computer, according to the press release. Wire fraud is punishable by up to 20 years in prison, while the other crimes are each punishable by up to five years. The jury decided not to convict her of access device fraud and aggravated identity theft.
U.S. District Judge Robert S. Lasnik will carry out sentencing Sept. 15.