Capital One: Convicted techie got in via 'misconfigured' AWS buckets

Assistant US attorney: 'She wanted data, she wanted money, and she wanted to brag'


Updated A former Seattle tech worker has been convicted of wire fraud and computer intrusions in a US federal district court.

The conviction follows the infamous 2019 hack of Capital One in which personal information of more than 100 million US and Canadian credit card applicants were swiped from the financial giant's misconfigured cloud-based storage.

Paige Thompson (aka "erratic") was arrested in July 2019 after data was leaked between March and July of that year. The data was submitted by credit card hopefuls between 2005 and early 2019, and Thompson was able to get into Capital One's AWS storage thanks to a "misconfigured web application firewall."

According to the original July 2019 complaint [PDF], Capital One received an email to its responsible disclosure address stating: "There appears to be some leaked s3 data of yours in someone's github /gist."

The complaint added: "Capital One determined that the April 21 file contained code for three commands, as well as a list of more than 700 folders or buckets of data."

Capital One then confirmed that they "matched the actual names of folders or buckets of data used by Capital One for data stored at the cloud company."

According to the US Attorney's office, Thompson used a tool to scan AWS accounts in search of misconfigurations. She then used the results to siphon data from more than 30 entities, including Capital One. "With some of her illegal access," wrote the office, "she planted cryptocurrency mining software on new servers with the income from the mining going to her online wallet."

Evidence from Thompson's own words in texts and online chats was used in the seven-day jury trial. The jury took 10 hours to come up with a verdict: guilty of wire fraud and five counts of unauthorized access to a protected computer and damaging a protected computer. Thompson was found not guilty of aggravated identity theft or access device fraud.

Sentencing is due on September 15, 2022.

As for Capital One, it was memorably slapped with a $80 million fine and settled customer lawsuits for $190 million following the leak. The Office of the Comptroller of the Currency (OCC), an independent bureau of the US Department of Treasury, took the Virginia-based bank to task over its shoddy security practices and applied for a cease and desist order against Capital One, forbidding it from "engaging in unsafe or unsound practices, including those relating to information security."

Quite an expensive misconfiguration, all told.

"Ms Thompson used her hacking skills to steal the personal information of more than 100 million people, and hijacked computer servers to mine cryptocurrency," thundered US Attorney Nick Brown. "Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself."

"She wanted data, she wanted money, and she wanted to brag," Assistant United States Attorney Andrew Friedman said in closing arguments.

The Register contacted Thompson's lawyers for comment and will update should they respond. ®

Updated to add at 1446 UTC

Capital One has been in touch to comment: "We are pleased with the outcome of the trial and remain thankful for the tireless work of the US Attorney's Office in Seattle and the FBI's Seattle Field Office in prosecuting this important case."


Other stories you might like

Biting the hand that feeds IT © 1998–2022