The 2019 hack exposed the information of over 100 million Capital One Customers. | Photo Illustration by Alex Tai/SOPA Images/LightRocket via Getty Images
A former Amazon Web Services (AWS) engineer has been found guilty of hacking into customersâ cloud storage systems and stealing data linked to the massive 2019 Capital One breach. A US District Court in Seattle convicted Paige Thompson of seven counts of computer and wire fraud on Friday, a crime punishable by up to 20 years in prison.
Thompson, who also went by the name âErraticâ online, was arrested for carrying out the Capital One hack in July 2019. The breach was one of the largest ever recorded, exposing the names, birth dates, social security numbers, email addresses, and phone numbers of over 100 million people in the US and Canada. Capital One has since been fined $80 million for allegedly failing to secure usersâ data and settled with affected customers for $190 million.
A press release from the Department of Justice (DOJ) states Thompson developed a tool that scanned AWS for misconfigured accounts and then leveraged these accounts to gain access to the systems of Capital One and dozens of other AWS customers. Prosecutors also say Thompson âhijackedâ companiesâ servers to install cryptocurrency mining software that would transfer any earnings to her personal crypto wallet. She then âbraggedâ about her misdoings in online forums and over text messages.
At the time, there was some debate as to whether Thompson was an ethical hacker or security researcher due to her unusual candidness about her role in the Capital One attack online â she posted customersâ sensitive data on a public GitHub page and shared the details of the breach on Twitter and Slack. Earlier this year, the Justice Department made it clear that it wouldnât prosecute security researchers under the Computer Fraud and Abuse Act. But US prosecutors obviously werenât convinced Thompsonâs actions fell under this exception.
âFar from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself,â US attorney Nick Brown said in a statement. Thompsonâs sentencing hearing will take place on September 15th, 2022.