By: Leetyan Chen
An ex-Amazon employee was convicted on Friday of wire fraud and hacking into Capital One, stealing the data of over 100 million people in one of the biggest ever data breaches in the United States.
Paige Thompson, age 36, was found guilty of violating the Computer Fraud and Abuse Act, which forbids access to a computer without authorization by a Seattle jury. The jury did not find Paige Thomspon guilty of aggravated device fraud and identity theft.
According to Sead Fadilpašić, a journalist for Tech Radar on MSN, Thompson used her position as an Amazon Web Service (AWS) engineer to hack into 30+ Amazon clients, including Capital One. She made a tool to search for misconfigured accounts, mined the account’s data, and installed her cryptocurrency miners on the AWS servers.
An article written by Kate Conger finds, “[Thompson’s] legal team argued that she had used the same tools and methods as ethical hackers who hunt for software vulnerabilities and report them to companies so they can be fixed.” Thompson’s legal team also argued that Thomspon did not intend to profit from the data collected. In court papers, her legal team contended, “there is no credible or direct evidence that a single person’s identity was misused.”
However, the prosecution countered that Thomspon had zero plans to report these vulnerabilities to Capital One, citing that she boasted about the attack online. Thompson also implanted software on servers she illegally accessed to mine cryptocurrency. During closing arguments, United States assistant attorney Andrew Friedman said, “[Thompson] wanted data, [Thompson] wanted money, and [Thompson] wanted to brag.”
Thompson is set to be sentenced on September 15th in front of U.S. District Judge Robert S. Lasnik, with convicted crimes punishable by up to 20 years in prison. Before finding Thomspon guilty of wire fraud and five counts of hacking, the Seattle jury deliberated for approximately 10 hours, a release said.
Three years ago, banking giant Capital One revealed it had suffered a significant data breach, indicating that about 140,000 United States social security numbers and 80,000 linked bank account numbers had been compromised. Over 106 million people throughout the United States and Canada were affected.
Following the data breach, Thompson was soon arrested. A user on a GitHub forum reported Thompson to Capital One, which reported her to the Federal Bureau of Investigation (FBI) shortly after she was found bragging online about the attack.
A class-action lawsuit also faced Capital One, where regulators argued that Capital One had failed to enforce security measures to protect consumers during the breach. Capital One agreed to pay over $190 million to settle the lawsuit in December 2020 and $80 million in regulatory fines.
In a press statement, Nicholas W. Brown, the U.S. attorney for Seattle, concluded, “Ms. Thompson used her hacking skills to steal the information of more than 100 million people, and hijacked computer servers to mine cryptocurrency. Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself.”
Sources:
https://s3.amazonaws.com/appforest_uf/f1655668302581x867950589613879900/Ex-Amazon%20Worker%20Convicted%20in%20Capital%20One%20Hacking%20-%20The%20New%20York%20Times.pdf
https://www.cnbc.com/2022/06/18/former-amazon-employee-convicted-in-capital-one-hack.html?adlt=strict&toWww=1&redig=0C990691ABF24C339C5E56ABDD284DCD
https://www.msn.com/en-us/autos/news/former-amazon-employee-convicted-of-capital-one-hack/ar-AAYF6ub?ocid=uxbndlbing&adlt=strict&toWww=1&redig=699FA191A9B741D7A0D939737D621C40
https://nypost.com/2022/06/18/seattle-woman-paige-thompson-convicted-in-massive-capital-one-hack/?adlt=strict&toWww=1&redig=0E11F2FE76DF4592A277884E1FDC96C9