By: Benjamin Wang
Paige Thompson, an ex-Amazon engineer who stole the personal information of 100 million Capital One customers in March 2019, was found guilty on June 18, 2022, of violating the Computer Fraud and Abuse Act, which forbids hackers from accessing a computer without authorization. Andrew Friedman, an U.S. attorney, said she was motivated by data, money, and the chance to brag.
The Capital One breach was one of the biggest hacks of the decade in terms of size as well as the sensitivity of the stolen information. Thompson acquired the names, birth dates, Social Security numbers, and financial information of millions of Capital One customers, as well as data from over 30 other companies. According to Capital One, approximately 120,000 Social Security numbers and 77,000 bank account numbers were stolen. Thompson used knowledge and experience she gained while working at Amazon Web Services to access the data through storage servers that were configured incorrectly.
In 2020, Capital One paid $80 million to U.S. regulators due to its weak cybersecurity processes. However, the regulators later gave credit to Capital One for how they responded to the cyberattack and resolved security issues. Capital One also said that defenses that were put in place before the breach helped secure the data before it could be shared or used. Later, in December, Capital One paid $190 million to the victims whose information had been breached. In 2019, the year of the breach, Capital One made $28.6 billion in revenue, not accounting for the $270 million cost of Thompson’s cyberattack.
Nicholas W. Brown, the U.S. attorney for the Western District of Washington said that “Far from being an ethical hacker trying to help companies with their computer security, [Thompson] exploited mistakes to steal valuable data and sought to enrich herself.”
Thompson is scheduled to be sentenced on September 15, 2022 and faces up to 20 years in prison for wire fraud. Her attorneys claim that she has struggled with mental health issues and did not intend to profit from the data, saying that “there is no credible or direct evidence that a single person’s identity was misused.” However, she used her access to Capital One servers to mine cryptocurrency and the profits that mining generated went directly went to her bank account. According to the New York Post, Thompson “shared her mental health struggles and in one tweet claimed she was planning to travel to Denmark in October for legally assisted suicide.”
After discovering her address through an online post, the F.B.I. raided Thompson’s home. Thompson had previously called the Capital One hack a suicide mission in a Twitter post. On June 18, 2019, she wrote “I’ve basically strapped myself with a bomb vest, F–king dropping capitol ones dox and admitting it.” She boasted online about her hacking abilities and posted about the hack on the online communication site Slack. When another user commented “don’t go to jail plz,” Thompson replied by saying ““I wanna get it off my server that’s why Im archiving all of it lol, Its all encrypted. I just don’t want it around though. I gotta find somewhere to store it.”
Sources:
https://www.nytimes.com/2022/06/17/technology/paige-thompson-capital-one-hack.html
https://nypost.com/2022/06/18/seattle-woman-paige-thompson-convicted-in-massive-capital-one-hack/
https://nypost.com/2019/07/30/capital-one-hacker-boasted-on-social-media-after-breach-court-docs/
https://www.insider.com/ex-amazon-worker-convicted-of-hacking-capital-one-and-stealing-data-2022-6
https://nypost.com/2019/07/30/who-is-alleged-capital-one-hacker-paige-thompson/
https://www.nbcnews.com/news/jury-convicts-seattle-woman-massive-capital-one-hack-rcna34324