Paige Thompson found guilty in 2019 Capital One data breach
The former Amazon engineer who hacked AWS and gained access to sensitive data belonging to Capital One customers has been convicted.
Paige A. Thompson has been convicted in the Capital One data breach that affected more than 100 million customers in the U.S. and Canada.
The decision comes nearly three years after the historic data breach that put cloud data security vulnerabilities in the spotlight was discovered.
In 2019, Capital One confirmed a threat actor gained unauthorized access and stole files containing the personally identifiable information of customers and credit card applicants, including payment history, contact information and credit scores, along with over 100,000 Social Security numbers and nearly 80,000 linked bank account numbers. While the financial services giant said it immediately fixed the issue and alerted the FBI, it was still one of the largest financial data breaches to date.
An anonymous email sent to Capital One fueled the FBI's investigation and led to Thompson's arrest in July 2019. The FBI traced a GitHub post that contained the stolen data as well as social media statements made by the former AWS engineer.
A jury in the U.S. District Court in Seattle found 36-year-old Thompson guilty of wire fraud, five counts of unauthorized access to a protected computer, and damaging a protected computer. The jury found her not guilty of access device fraud and aggravated identity theft, according to a Department of Justice press release.
The DOJ also revealed steps leading up to the network intrusion. Though she left Amazon years before the hack, the DOJ said while employed at the company, Thompson built a tool she used to scan AWS' cloud platform for misconfigured accounts.
"She then used those misconfigured accounts to hack in and download the data of more than 30 entities, including Capital One bank," the DOJ stated in the press release. "With some of her illegal access, she planted cryptocurrency mining software on new servers with the income from the mining going to her online wallet."
Additionally, the press release emphasized how Thompson "bragged" about her illegal actions through texts and online forums under the alias "erratic." The DOJ also said she spent hundreds of hours advancing her scheme, which cost Capital One hundreds of millions in lawsuits.
As a result of the data breach that used misconfigured firewalls, Capital One was fined $80 million and settled customer lawsuits for $190 million, on top of facing raised privacy concerns. Though Capital One said there was no evidence the stolen data was used for fraud, analysis proved difficult. Nearly two years after Capital One issued a statement on the breach, it revealed additional Social Security numbers were among the accessed data.
In the aftermath of the breach, Capital One said it immediately fixed the server-side request forgery vulnerability that was reported by a security researcher through its responsible disclosure program. In a FAQ section on the incident, Capital One also encouraged its customers to enroll in credit card alerts and offered free credit monitoring and identity protection.
Court documents on the settlement agreement also showed Capital One agreed to enhance the company's cloud security standards, procedures and controls, including the implementation of additional cloud security controls.
The breach put cloud security at the forefront of many enterprises. Prior to the attack, there was a misconception that cloud companies would handle security and that default settings were sufficient, said John Bambenek, principal threat hunter at Netenrich.
"The reality is, the shared security model requires users to make sure that their cloud environments are secure, and that data does not accidentally leak," Bambenek said in an email to SearchSecurity.
Though it has taken a few years, he said real strides have been made for companies to improve on default security settings, and for security tools to start detecting misconfigurations and malicious behavior in cloud environments.
Thompson is scheduled for sentencing in September. Wire fraud convictions face up to 20 years in prison, according to the DOJ.
Capital One could not be reached for comment by press time.