Former Amazon Employee Found Guilty in 2019 Capital One Data Breach

A 36-year-old former Amazon employee was convicted of wire fraud
and computer intrusions in the U.S. for her role in the theft of
personal data of no fewer than 100 million people in the 2019 Capital One breach ^[1].

Paige Thompson ^[2], who operated under the
online alias “erratic” and worked for the tech giant till 2016, was
found guilty of wire fraud, five counts of unauthorized access to a
protected computer and damaging a protected computer.

The seven-day trial saw the jury acquitted her of other charges,
including access device fraud and aggravated identity theft. She is
scheduled for sentencing on September 15, 2022. Cumulatively, the
offenses are punishable by up to 25 years in prison.

“Ms. Thompson used her hacking skills to steal the personal
information of more than 100 million people, and hijacked computer
servers to mine cryptocurrency,” said ^[3]
U.S. Attorney Nick Brown. “Far from being an ethical hacker trying
to help companies with their computer security, she exploited
mistakes to steal valuable data and sought to enrich herself.”

The incident ^[4], which came to light in
July 2019, involved the defendant breaking into Amazon’s cloud
computing systems and stealing the personal information of roughly
100 million individuals in the U.S. and six million in Canada. This
consisted of names, dates of birth, Social Security numbers, email
addresses, and phone numbers.

It was made possible by developing a custom tool to scan for
misconfigured Amazon Web Services (AWS) instances, allowing
Thompson to siphon sensitive data ^[5]
belonging to over 30 entities, counting Capital One, and plant
cryptocurrency mining software in the unlawfully accessed servers
to illegally mint digital funds.

Furthermore, the hacker left an online trail for investigators
to follow as she boasted about her illicit activities to others via
text and online forums, the Justice Department noted. The data was
also posted on a publicly accessible GitHub page.

“She wanted data, she wanted money, and she wanted to brag,”
Assistant U.S. Attorney Andrew Friedman told the jury in the
closing arguments, according to a press statement from the Justice
Department.

Capital One was fined $80 million ^[6]
by the Office of the Comptroller of the Currency (OCC) in August
2020 for failing to establish appropriate risk management measures
before migrating its IT operations to a public cloud-based service.
In December 2021, it agreed to pay $190
million ^[7] to settle a class-action
lawsuit over the hack.

References

^{^}
2019
Capital One breach (thehackernews.com)
^{^}
Paige
Thompson (thehackernews.com)
^{^}
said
(www.justice.gov)
^{^}
incident
(www.capitalone.com)
^{^}
siphon
sensitive data (thehackernews.com)
^{^}
fined
$80 million (thehackernews.com)
^{^}
pay $190
million (www.capitalonesettlement.com)