An ex-Amazon Web Services (AWS) employee has been found guilty of multiple crimes in relation to one of the largest ever US data breaches.
According to a CNBC report, former AWS engineer Paige Thompson was found to have used her position within the firm to hack into Capital One’s database and steal sensitive information on more than 100 million people.
Using the alias “erratic”, she apparently built a tool that helped her search for misconfigured accounts on AWS. What she found was more than 30 such instances owned by Amazon clients, including Capital One. She then proceeded to mine that data and install cryptocurrency miners on some AWS servers.
Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.
Wire fraud, aggravated identity theft
The jury found Thompson guilty of seven federal crimes, including wire fraud, illegally accessing a protected computer, and damaging a protected computer. She was found not guilty of aggravated identity theft and access device fraud.
“She wanted data, she wanted money, and she wanted to brag,” Assistant United States Attorney Andrew Friedman said of Thompson, during closing arguments.
The sentencing is scheduled for September 15, and Thompson’s legal representative is yet to comment. Some of these crimes are punishable with up to 20 years of prison time
In mid-2019, financial giant Capital One revealed it suffered a major data breach, with around 106 million customers in the US and Canada having their personal details stolen, including names, addresses and phone numbers.
Around 140,000 US social security numbers and 80,000 linked bank account numbers are also thought to have been compromised, with about one million social insurance numbers belonging to Canadian credit card customers also affected.
Thompson was reported to police by a GitHub forum user after she apparently boasted of the attack online.
Capital One was faced with a class-action lawsuit, following the breach, and agreed to settle by paying $190 million, as well as an additional $80 in regulatory fines.