Former Amazon Engineer Convicted Of Computer Fraud In Massive Capital One Data Breach

former amazon engineer convicted computer fraud capital one breach news
Three years ago, Capital One Financial Corporation suffered a massive data breach that exposed customers’ personal information. Rather than being the victim of social engineering or a ransomware attack, it turned out that Capital One had misconfigured its web application, leaving its system vulnerable to a breach. The perpetrator, Paige Thompson, is a former Amazon engineer, which may be why she was aware of this misconfiguration, as Capital One’s system operated on Amazon Web Services (AWS).

Thompson, who was 33 years old at the time of the breach, stole the personal information of more than 100 million Capital One customers. This information included Social Security numbers and bank account numbers. Thompson bragged about her unauthorized exfiltration of this data on GitHub. Online chat logs show that she considered sharing the stolen information with a scammer and planned to publish the data while exposing her involvement. A woman in contact with the perpetrator suggested that Thompson turn herself in to law enforcement, but, after a month of inaction on the part of Thompson, the woman informed Capital One of the breach.

former amazon engineer convicted computer fraud capital one breach spheres news
The Amazon Spheres at Amazon headquarters in Seattle (source: Wikipedia user Biodin)

Multiple years after leaving Amazon, the former employee built a tool to scan for the firewall misconfiguration among AWS customers and ended up finding that Capital One’s system was vulnerable in this way. Thompson’s lawyers argued that she was using the methods of ethical hackers to discover vulnerabilities. However, rather than informing Capital One of the misconfiguration, as an ethical hacker would, Thompson instead stole customer information and used the financial firm’s AWS servers to mine cryptocurrency.

Now, three years after the breach, a Seattle jury has found Thompson guilty of violating the Computer Fraud and Abuse Act. More specifically, the jury declared her guilty on five counts of gaining unauthorized access to a protected computer and damaging a protected computer, as well as wire fraud. However, the jury found Thompson not guilty of access device fraud and aggravated identity theft.

Thompson’s sentence is yet to be decided, but unauthorized access to a protected computer and damaging a protected computer are punishable by up to five years in prison, and wire fraud is punishable by up to twenty years in prison, so Thompson could have a long sentence ahead of her.

Top image courtesy of Wikipedia user Tdorante10