Former Amazon engineer convicted of stealing and exposing more than 100 million people’s data, facing up to 20 years in prison

IT House June 19 news, a Seattle jury found that former Amazon software engineer Paige Thompson was charged with stealing data from Capital One in 2019, guilty of wire fraud and five counts of unauthorized access to a protected computer.

The Capital One hack was one of the largest security breaches in the United States,The incident resulted in a data breach of 100 million Americans and 6 million Canadians, including name, date of birth, social security number, email address, and phone number. Thompson was arrested in July of that year when a GitHub user saw her sharing information on the site about the theft of data from the server that stored Capital One’s information.

According to the DOJ announcement, Thompson used a tool she built herself to scan Amazon Web Services for misconfigured accounts. She then allegedly used the accounts to infiltrate Capital One’s servers and download data on more than 100 million people.

The jury found Thompson did so in violation of the Computer Fraud and Abuse Act, but Thompson’s lawyers argued that she used the same tools and methods as ethical hackers.

IT House understands that the U.S. Department of Justice recently amended the Computer Fraud and Abuse Act to protect ethical or white hat hackers. Researchers can no longer be charged under the law as long as they investigate or fix vulnerabilities in “good faith” and don’t use the security flaws they find for extortion or other malicious purposes.

However,U.S. authorities disagree with claim that Thompson was just trying to expose the Capital One vulnerability. The Justice Department said she implanted cryptocurrency mining software on the bank’s servers and sent the proceeds directly to her digital wallet. She also allegedly bragged about her hacking on forums.

“Far from being an ethical hacker trying to help companies keep their computers safe, she used mistakes to steal valuable data and profit from it,” U.S. Attorney Nick Brown said.Thompson could be sentenced to up to 20 years in prison for wire fraud, each charge of illegally accessing a protected computer carries a maximum penalty of five years in prison. Her sentencing hearing is scheduled for September 15.