Former Amazon Employee Convicted of 2019 Capital One Bank Hack

Photo of Capital One Building

Former Amazon Web Services (AWS) employee Paige Thompson — a.k.a “erratic” — was found guilty by a U.S. District Court in Seattle Friday of hacking Capital One bank in 2019. The breach is one of the largest in U.S. history and resulted in the theft of the personal information of over 100 million people.

Thompson used a self-built software tool to breach Capital One’s cloud, managing to hijack computer servers and mine cryptocurrency for herself, the U.S. Attorney’s Office said. The incident resulted in an $80 million fine for Capital One by the U.S. Treasury, while the bank also had to settle $190 million worth of customer lawsuits.

Several Charges of Wire Fraud and Computer Intrusions

The Capital One incident is just one of seven charges of wire fraud and computer intrusion brought against Thompson, who was arrested in July 2019 following an FBI Seattle Cyber Task Force crackdown. A complaint filed with the U.S. District Court stated that the bank received a tip about Thompson’s activity on software development hub GitHub via an anonymous user.

Capital One received an email stating that there were hundreds of stolen files, such as Capital One customers’ names and encrypted Social Security numbers in Thompson’s possession. Later, law enforcement also confirmed that she was using virtual private network software “IPredator” in an attempt to anonymize herself online while running a group on the online social media app Meetup.

U.S. Attorney Nick Brown pointed out that Thompson leveraged her position as an ethical hacker at Amazon to exploit cybersecurity lapses in Capital One’s systems and steal valuable data for personal gain. Furthermore, the courts did not think that Thompson’s actions could be softened under new ethical security research policies, which no longer seek to prosecute hackers with good intent.

“Ms. Thompson used her hacking skills to steal the personal information of more than 100 million people, and hijacked computer servers to mine cryptocurrency,” Brown said. “Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself.”

Thompson faces up to 20 years in prison for the wire fraud violations and up to five years for each charge of accessing and damaging protected computers. She was acquitted of access device fraud and aggravated identity theft charges. U.S. District Judge Robert S. Lasnik will hand out sentencing on September 15, 2022.

Thompson Used a Custom-Built Tool

With a “tool she built,” Thompson scanned AWS looking for “misconfigured accounts,” the U.S. DoJ’s press release said. Consequently, this led to her being able to hack into misconfigured accounts and “download the data of more than 30 entities, including Capital One Bank.”

While she was in the system, Thompson planted cryptocurrency mining scripts on “new servers,” and diverted all generated income “to her online wallet,” the DoJ said. She spent “hundreds of hours advancing her scheme,” while showboating to others on online forums and via text.

An “Erratic” Character

According to court papers obtained by the Associated Press, defense attorneys argued that Thompson battled mental health issues and claimed she had no intention of profiting from the obtained data. Her defense also stressed that there was no evidence of anyone’s identity being misused.

Following her arrest, Thompson’s friends and associates told the AP she was a “skilled programmer and software architect” but said they knew she had an unstable personality. She overshared in chat groups, was frequently profane, expressed gender-identity distress, and had her “ups and downs,” they said in interviews. What is more, she stalked and harassed two of her former roommates who took out a restraining order against her.

Her friends also told the AP they believed that following her short stint at AWS between 2015 – 2016, Thompson claimed to be battling serious depression coupled with unemployment — which could have been the attention-seeking and financial drivers behind the hack.

The Importance of Secure Cloud Storage

Cloud storage has become a popular attack vector for cybercriminals, with ever more sensitive data being stored there by organizations small and large. Misconfigured cloud storage solutions are an invitation for cybercriminals.

Recently, we’ve uncovered several examples where an AWS bucket was left unsecured — such as the Sephora and Switch fintech breaches.

You may find our expert breakdown on securing and protecting AWS S3 buckets useful if you belong to an organization using this kind of storage. If you are a personal cloud storage user, check out our top 5 most secure cloud options to ensure your data is in good hands.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.