Engineer at Amazon until 2016, a hacker seized in 2019 the personal data of more than 106 million American and Canadian customers of the Capital One bank. The hacker’s trial, which lasted seven days, ended on Friday, June 17. At the end of it, Paige Thompson, 36, was found guilty wire fraud and several other charges. She faces up to 20 years in prison.
The hacker used the bank’s servers to mine cryptocurrencies
In July 2019, Capital One bank received a report indicating a leak of data from its cloud storage spaces, provided by Amazon Web Service (AWS). 100 million American customers and 6 million Canadian customers were affected by this data theft. Among the information is their name, address, telephone number, email address or even the declared income.
Ukraine transfers its most sensitive data beyond its borders
Strangely, the name of Paige Thompson appeared in full on a GitHub page, a collaborative site used to share computer code. It disseminated some of the stolen data there, freely accessible. The FBI then had no trouble arresting the former Amazon employee. She had managed to access the bank’s AWS storage space through a flaw in the service’s web application firewall. The prosecutor, Nick Brown, clarified during the judgment that she used a tool to scan AWS in search of configuration errors.
She was able to siphon data from more than thirty entities, including Capital One. The hacker was not content with this take, she also implanted cryptocurrency mining software on cloud servers. Cryptocurrencies that were directly transferred to his virtual wallet.
The bank’s IT security was faulty
Paige Thompson also shared some of the stolen data on Slack messaging. In a group chat with other hackers, she shares the files and brags about owning them. These elements, easily accessible to the police, were used as evidence during the trial. It ended on June 17 and the young woman was found guilty of electronic fraud, a crime that can lead to up to twenty years in prison.
She is also found guilty of seven counts, including unlawful access to and damage to a protected computer. The jury, which deliberated for more than ten hours, did not however find him guilty of fraud in the access device, the system which allows access to storage spaces, nor of aggravated identity theft.
Part of the responsibility was thrown on the Capital One bank. In August 2020, she had to pay an $80 million fine, imposed by the Office of the Comptroller of the Currency, an independent office of the United States Treasury Department. The reason for this sentence was the faulty security of the public cloud service used by the bank. Customers affected by the data theft were compensated up to $190 million.
During the hearing, the prosecutor ended his argument by explaining that Paige Thompson ” wanted data, she wanted money, and she wanted to brag about it. The conviction and exact sentence will be announced on September 15, 2022.
The United States does not take cybersecurity issues lightly. In 2021, the Biden administration has made it its priority, going so far as to no longer leave the right to error to companies that work for the government.