Paige Thompson, a 36-year-old former Amazon employee has been found guilty for her role in the theft of private data of no fewer than 100 million people in the 2019 Capital One breach. A Seattle jury convicted her of wire fraud and five counts of unauthorized access to a protected computer.
Thompson, who operated under the online name "erratic" and worked for the tech giant till 2016, is scheduled for sentencing on September 15, 2022. Cumulatively, the offenses are punishable by up to 25 years in prison.
"Ms. Thompson used her hacking skills to steal the personal information of more than 100 million people, and hijacked computer servers to mine cryptocurrency," stated U.S. Attorney Nick Brown. "Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself."
The data breach, which came to light in July 2019, involved Thompson infiltrating into Amazon's cloud computing systems and stealing the private data of nearly 100 million individuals in the U.S. and six million in Canada. That included names, dates of birth, Social Security numbers, email addresses and phone numbers, and other critical financial data, such as credit scores, limits and balances.
According to the Department of Justice, Thompson employed a custom tool she designed herself to search for misconfigured Amazon Web Services (AWS) accounts. Subsequently, she exfiltrated sensitive data belonging to over 30 entities, counting Capital One, and deployed cryptocurrency mining software onto the bank's servers, and sent the earnings straight to her digital wallet.
Additionally, the hacker left an online trail for authorities to follow as she boasted about her illegal activities to others via text and online forums, the Justice Department noted. The stolen data was also shared on a publicly accessible GitHub page.
"She wanted data, she wanted money, and she wanted to brag," Assistant U.S. Attorney Andrew Friedman told the jury in the closing arguments, according to a press statement from the Justice Department.
In August 2020, the banking giant was fined $80 million by the Office of the Comptroller of the Currency (OCC) for failing to implement proper risk management measures before shifting its IT operations to public cloud-based service. In December 2021, CapitalOne agreed to pay $190 million to settle a class-action lawsuit over the hack.
