Paige Thompson, a former Amazon employee, was found guilty of wire fraud and computer intrusions for her role in the theft of personal data from over 100 million customers of the Capital One Bank (COB) in 2019. She was convicted of wire fraud, five counts of unauthorized access to a protected computer, and destroying it. After a seven-day trial, the jury acquitted her of additional charges, including access device fraud and aggravated identity theft. Her sentencing date is September 15, 2022, and the charges are punishable by up to 25 years in prison. “Ms. Thompson used her hacking skills to steal the personal information of more than 100 million people, and hijacked computer servers to mine cryptocurrency. Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself,” stated U.S. Attorney Nick Brown.
The defendant broke into Amazon’s cloud computing systems in July 2019 and stole the Personal Identifiable Information (PII) of about 100 million people in the United States and six million people in Canada. The stolen PII included names, dates of birth, Social Security Numbers (SSN), Email, and phone numbers. Thompson used a custom tool for scanning misconfigured Amazon Web Services (AWS) instances to steal sensitive data from over 30 companies, including COB, and installing cryptocurrency mining software on the illegally accessed servers in order to mint digital funds. According to the Justice Department, the hacker boasted about her illegal activities to others via text messages on online forums. The data was also available on a GitHub page that was open to the public. The Office of the Comptroller of the Currency (OCC) fined COB $80 million in August 2020 for refusing to maintain appropriate risk management procedures before transferring its IT operations to a public AWS. In December 2021, COB also agreed to pay $190 million to resolve a class-action lawsuit over the breach.