A 36-year-old former Amazon employee has been convicted of wire fraud and computer intrusion in the United States for her role in stealing the personal data of as many as 100 million people during the Capital One breach in 2019.
Paige Thompson, who operated under the online pseudonym “erratic” and worked for the tech giant until 2016, was found guilty of wire fraud, five counts of unauthorized access to a protected computer and damaging from a protected computer.
During the seven-day trial, the jury acquitted her of other charges, including access device fraud and aggravated impersonation. She is due to be sentenced on September 15, 2022. Cumulatively, the offenses carry a sentence of up to 25 years in prison.
“Ms. Thompson used her hacking skills to steal the personal information of more than 100 million people and hacked into computer servers to mine cryptocurrency,” said U.S. Attorney Nick Brown. “Far from being an ethical hacker trying to help companies with their IT security, she exploited errors to steal valuable data and sought to enrich herself.”
The incident, which came to light in July 2019, involved the defendant breaking into Amazon’s cloud computing systems and stealing the personal information of approximately 100 million people in the United States and six million in Canada. These included names, dates of birth, social security numbers, email addresses and phone numbers.
This was made possible by developing a custom tool to find misconfigured Amazon Web Services (AWS) instances, allowing Thompson to siphon off sensitive data belonging to more than 30 entities, including Capital One, and implant software to cryptocurrency mining in illegally accessed servers to illegally mint digital funds.
Additionally, the hacker left a trail online for investigators to follow as she bragged about her illicit activities to others via text messages and online forums, the Justice Department noted. The data was also published on a publicly available GitHub page.
“She wanted data, she wanted money, and she wanted to brag,” Assistant U.S. Attorney Andrew Friedman told the jury during closing arguments, according to a Justice Department press release.
Capital One was fined $80 million by the Office of the Comptroller of the Currency (OCC) in August 2020 for failing to establish appropriate risk management measures before migrating its IT operations to a public service cloud-based. In December 2021, he agreed to pay $190 million to settle a hacking class action lawsuit.