A former Amazon Net Companies (AWS) engineer has been discovered responsible of hacking into prospects’ cloud storage methods and stealing information linked to the huge 2019 Capital One breach. A US District Court docket in Seattle convicted Paige Thompson of seven counts of pc and wire fraud on Friday, against the law punishable by as much as 20 years in jail.
Thompson, who additionally glided by the identify “Erratic” on-line, was arrested for finishing up the Capital One hack in July 2019. The breach was one of many largest ever recorded, exposing the names, delivery dates, social safety numbers, e-mail addresses, and telephone numbers of over 100 million folks within the US and Canada. Capital One has since been fined $80 million for allegedly failing to safe customers’ information and settled with affected prospects for $190 million.
A press launch from the Division of Justice (DOJ) states Thompson developed a instrument that scanned AWS for misconfigured accounts after which leveraged these accounts to achieve entry to the methods of Capital One and dozens of different AWS prospects. Prosecutors additionally say Thompson “hijacked” corporations’ servers to put in cryptocurrency mining software program that will switch any earnings to her private crypto pockets. She then “bragged” about her misdoings in on-line boards and over textual content messages.
On the time, there was some debate as as to whether Thompson was an moral hacker or safety researcher as a result of her uncommon candidness about her function within the Capital One assault on-line — she posted prospects’ delicate information on a public GitHub web page and shared the small print of the breach on Twitter and Slack. Earlier this 12 months, the Justice Division made it clear that it wouldn’t prosecute safety researchers beneath the Laptop Fraud and Abuse Act. However US prosecutors clearly weren’t satisfied Thompson’s actions fell beneath this exception.
“Removed from being an moral hacker attempting to assist corporations with their pc safety, she exploited errors to steal helpful information and sought to complement herself,” US legal professional Nick Brown stated in a press release. Thompson’s sentencing listening to will happen on September fifteenth, 2022.