Ex-Amazon employee convicted over data breach of 100 million CapitalOne customers

Paige Thompson, a former Amazon employee accused of stealing the personal information of 100 million customers by breaching banking giant CapitalOne in 2019, has been found guilty by a Seattle jury on charges of wire fraud and computer hacking.

Thompson, 36, was accused of using her knowledge as a software engineer working in the retail giant’s cloud division, Amazon Web Services, to identify cloud storage servers that were allegedly misconfigured to gain access to the cloud stored data used by CapitalOne. That included names, dates of birth, Social Security numbers, email addresses and phone numbers, and other sensitive financial information, such as credit scores, limits and balances.

Some one million Canadians were also affected by the CapitalOne breach.

Thompson also accessed the cloud stored data of more than 30 other companies, according to a superseding indictment filed by the Justice Department almost two years after Thompson was first charged, which reportedly included Vodafone, Ford, Michigan State University and the Ohio Department of Transportation.

Thompson was convicted under the Computer Fraud and Abuse Act, which prohibits a person from accessing a computer system without authorization. There was some question about her motives, which some said classed Thompson as a potential ethical hacker — the Justice Department said in May that it would no longer prosecute good-faith security researchers — but prosecutors said Thompson “exploited mistakes to steal valuable data and sought to enrich herself,” including using the servers she hijacked to plant and mine cryptocurrency.

The Seattle jury found Thompson not guilty of identity theft and charges relating to device access fraud.

The breach of CapitalOne’s cloud data, much of it stored on Amazon’s cloud, was one of the biggest hacks of the decade by size alone but also because of the sensitivity of the financial information. CapitalOne’s security chief was replaced a short time after the breach became public, and in 2020, the banking giant was fined $80 million by U.S. federal regulators and ordered to improve its cybersecurity defenses and was later ordered by a judge to pay close to $200 million in class action damages. CapitalOne made $28.6 billion in revenue during 2019, the year of its breach.

Thompson is expected to be sentenced in September.