A former Seattle technician has been convicted in a US district court of wire fraud and computer burglary.
The conviction follows Capital One’s infamous 2019 hack that stole the personal information of more than 100 million US and Canadian credit card applicants from the financial giant’s misconfigured cloud-based storage.
Paige Thompson (aka “erratic”) was arrested in July 2019 after leaked data between March and July of that year. The data was submitted by credit card hopefuls between 2005 and early 2019, and Thompson was able to get into Capital One’s AWS storage thanks to a “misconfigured web application firewall.”
According to the original July 2019 complaint [PDF]Capital One received an email at its responsible disclosure address stating: “There appears to be some leaked s3 data of yours in someone’s github/gist.”
The complaint added, “Capital One found that the April 21 file contained code for three commands and a list of more than 700 folders or buckets of data.”
Capital One then confirmed that they “match the actual names of folders or buckets of data used by Capital One for data stored at the cloud company.”
According to US Attorneys, Thompson used a tool to scan AWS accounts looking for misconfigurations. She then used the results to mine data from more than 30 companies, including Capital One. “Using some of her illegal access,” the bureau wrote, “she installed cryptocurrency mining software on new servers, with mining proceeds flowing into her online wallet.”
Evidence from Thompson’s own words was used in texts and online chats during the seven-day trial. It took the jury 10 hours to come to a verdict: guilty of wire fraud and five counts of unauthorized access to a protected computer and damaging a protected computer. Thompson was found not guilty of aggravated identity theft or access device fraud.
Sentencing is due September 15, 2022.
As for Capital One, it was memorably hit with an $80 million fine and $190 million in customer lawsuits settled in the wake of the leak. The Office of the Comptroller of the Currency (OCC), an independent bureau of the U.S. Treasury Department, took the Virginia-based bank to task for its shoddy security practices and sought an injunction against Capital One, barring it from “investing in insecure or unsound businesses practices, including those related to information security.”
All in all, a pretty expensive misconfiguration.
“Ms. Thompson used her hacking skills to steal the personal information of more than 100 million people and hijacked computer servers to mine cryptocurrencies,” thundered US Attorney Nick Brown. “Far from being an ethical hacker trying to help companies with their computer security, she exploited bugs to steal valuable data and sought to enrich herself.”
“She wanted data, she wanted money, and she wanted to show it off,” Assistant Attorney Andrew Friedman said in the closing arguments.
The registry reached out to Capital One and Thompson’s attorneys for comment and will update them if either responds. ®
Comments are closed.