A former Amazon Web Services (AWS) engineer has been found guilty of hacking into customers’ cloud storage systems and stealing data in connection with Capital One’s massive breach in 2019. A US district court in Seattle on Friday found Paige Thompson guilty of seven counts of computer and wire fraud, a crime punishable by up to 20 years in prison.
Thompson, also known online as “Erratic,” was arrested for performing the Capital One hack in July 2019. The breach was one of the largest on record, exposing the names, dates of birth, social security numbers, email addresses, and phone numbers of over 100 million people across the US and Canada. Capital One has since been fined $80 million for allegedly failing to back up users’ data and charged affected customers over $190 million.
A Department of Justice (DOJ) press release said Thompson developed a tool that scanned AWS for misconfigured accounts and then used those accounts to gain access to the systems of Capital One and dozens of other AWS customers. Prosecutors also say Thompson “hijacked” companies’ servers to install cryptocurrency mining software that would transfer all earnings to her personal crypto wallet. She then “bragged” about her wrongdoing on online forums and over text messages.
“She exploited bugs to steal valuable data and tried to enrich herself”
There was some debate at the time as to whether Thompson was an ethical hacker or a security researcher because she was unusually open about her role in the Capital One attack online – she posted sensitive customer data on a public GitHub page and shared the details of the breach on Twitter and Slack. Earlier this year, the Justice Department clarified that it would not prosecute security researchers under the Computer Fraud and Abuse Act. But US prosecutors were apparently unconvinced that Thompson’s actions fell under that exception.
“Far from being an ethical hacker trying to help companies with their computer security, she exploited bugs to steal valuable data and attempted to enrich herself,” US Attorney Nick Brown said in a statement . Thompson’s sentencing hearing will be held on September 15, 2022.