The suspect in the massive 2019 data breach of Capital One was found guilty Friday of hacking and wire fraud charges. The Capital One hack, one of the largest-ever breaches of a financial services company, affected more than 100 million US customers and involved the theft of sensitive data including Social Security and bank account numbers.
The hacker, Paige A. Thompson, a former systems engineer at Amazon Web Services, used a self-made tool to detect misconfigured AWS accounts and then use those accounts to hack into the systems of more than 30 organizations, including Capital One, the US Department of Justice said in a release. In addition to downloading data, she planted cryptocurrency mining software on servers and directed crypto to her online wallet, the DOJ said.
“She wanted data, she wanted money, and she wanted to brag,” Assistant United States Attorney Andrew Friedman said in closing arguments, according to the release. The DOJ didn’t name the other organizations affected by Thompson’s activity.
Following Thompson’s arrest, Amazon said she’d left the company three years before the hack took place. Last year, Capital One agreed to pay $190 million to settle a class-action lawsuit filed by customers. Both Capital One and Amazon Web Services denied liability but said they’d settle to avoid the time, expense and uncertainty of litigation.
The year before, Capital One agreed to pay $80 million to settle claims by federal bank regulators that its cybersecurity measures fell short and that it failed to put proper risk assessment steps in place when it started using cloud storage services. The regulators gave Capital One credit for how it notified customers after the hack and how it took steps to remedy problems. And the company said safeguards it had put in place before the breach helped it secure data before any customer information could be disseminated or used.
In addition to wire fraud, Thompson was found guilty of five counts of unauthorized access to a protected computer and damaging a protected computer, the DOJ said. She was found not guilty of aggravated identity theft and access device fraud.
Thompson is scheduled to be sentenced Sept. 15, the DOJ said, and faces up to 20 years in prison for wire fraud. Illegally accessing a protected computer and damaging a protected computer are punishable by up to five years in prison, the agency said.
A lawyer for Thompson didn’t immediately respond to a request for comment on the verdict.
