A former Amazon Web Services (AWS) engineer has been found guilty of hacking into customers’ cloud storage systems and stealing data linked to the massive 2019 Capital One breach. A US District Court in Seattle on Friday convicted Page Thompson of seven counts of computer and wire fraud, a crime that could carry up to 20 years in prison.
Thompson, also known as “erratic” online, was arrested in July 2019 for hacking Capital One. The breach was one of the largest ever records, in which names, dates of birth, Social Security numbers, email addresses, were exposed. and the phone numbers of more than 100 million people in the US and Canada. Capital One has since been fined $80 million for allegedly failing to secure users’ data and settling a $190 million settlement with affected customers.
A Department of Justice (DOJ) press release states that Thompson has developed a tool that scans AWS for incorrectly configured accounts and then accesses the systems of Capital One and dozens of other AWS customers. To take advantage of these accounts. Prosecutors also say that Thompson “hijacked” the companies servers to install cryptocurrency mining software that would transfer any earnings to his personal crypto wallet. He then “bragged” about his wrongdoings in online forums and text messages.
At the time, there was some debate as to whether Thompson was an ethical hacker or a security researcher online because of his unusual clarity about his role in the Capital One attack – he posted sensitive customer data to a public GitHub page. Did and shared details of the breach on Twitter and Slack. Earlier this year, the Justice Department clarified that it would not prosecute security researchers under the Computer Fraud and Abuse Act. But US prosecutors were apparently not convinced that Thompson’s action falls under this exception.
“Rather than being an ethical hacker trying to help companies with computer security, she took advantage of mistakes to steal valuable data and tried to enrich herself,” US Attorney Nick Brown said in a statement. Thompson’s sentencing hearing will take place on September 15, 2022.