A former Amazon Web Services (AWS) engineer has been found guilty of hacking into customers’ cloud storage systems and stealing data related to the 2019 Capital One mass breach. , a crime punishable by up to 20 years in prison.
Thompson, who also called “Erratic” online, was arrested for committing the hack Capital One in July 2019. The rupture was one of the largest ever recorded, exposing the names, dates of birth, social security numbers, email addresses and phone numbers of more than 100 million people in the United States and Canada. Capital One was later fined $ 80 million for allegedly failing to secure user data and arranged with affected customers for $ 190 million.
A press release from the Ministry of Justice (DOJ) states Thompson developed a tool that scanned AWS for misconfigured accounts and then used these accounts to gain access to the systems of Capital One and dozens of other AWS customers. Prosecutors also say Thompson “hijacked” the servers of companies to install crypto mining software that would transfer any revenue to her personal crypto wallet. She then “boasted” about her mistakes in online forums and text messages.
At the time, there was some debate over whether Thompson was an ethical hacker or security investigator because of her unusual sincerity about her role in the Capital One attack online – she posted sensitive customer data on a GitHub public page and shared the details of the breach on Twitter and Slack. Earlier this year, the Justice Department clarified that it will not prosecute security investigators under the Computer Fraud and Abuse Act. But U.S. prosecutors were obviously not convinced that Thompson’s actions fall under this exception.
“Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself,” U.S. Attorney Nick Brown said in a statement. Thompson’s court hearing will be held on September 15, 2022.