Ex-Amazon Cloud Worker Found Guilty in Capital One Hack

The huge hack affected more than 100 million US customers.

Edward Moyer Senior Editor
Ed is a many-year veteran of the writing and editing world who enjoys taking sentences apart and putting them back together. He also likes making them from scratch. For nearly a quarter of a century, he's edited and written stories about various aspects of the technology world, from the US National Security Agency's controversial spying techniques to historic NASA space missions to 3D-printed works of fine art. Before that, he wrote about movies, musicians, artists and subcultures.
  • Ed was a member of the CNET crew that won a National Magazine Award from the American Society of Magazine Editors for general excellence online. He's also edited pieces that've nabbed prizes from the Society of Professional Journalists and others.
Edward Moyer
2 min read
A red, white and blue sign featuring the Capital One name and a swoosh-like logo is displayed behind a window, set off by interesting reflections and shadows.
Drew Angerer/Getty Images

The suspect in the massive 2019 data breach of Capital One was found guilty Friday of hacking and wire fraud charges. The Capital One hack, one of the largest-ever breaches of a financial services company, affected more than 100 million US customers and involved the theft of sensitive data including Social Security and bank account numbers.

The hacker, Paige A. Thompson, a former systems engineer at Amazon Web Services, used a self-made tool to detect misconfigured AWS accounts and then use those accounts to hack into the systems of more than 30 organizations, including Capital One, the US Department of Justice said in a release. In addition to downloading data, she planted cryptocurrency mining software on servers and directed crypto to her online wallet, the Justice Department said.

"She wanted data, she wanted money, and she wanted to brag," Assistant United States Attorney Andrew Friedman said in closing arguments, according to the release. The Justice Department didn't identify the other organizations affected by Thompson's activity.

Following Thompson's arrest, Amazon said she'd left the company three years before the hack took place. Last year, Capital One agreed to pay $190 million to settle a class-action lawsuit filed by customers. Both Capital One and Amazon Web Services denied liability but said they'd settle to avoid the time, expense and uncertainty of litigation.

The year before, Capital One agreed to pay $80 million to settle claims by federal bank regulators that its cybersecurity measures fell short and that it failed to put proper risk assessment steps in place when it started using cloud storage services. The regulators gave Capital One credit for how it notified customers after the hack and how it took steps to remedy problems. And the company said safeguards it had put in place before the breach helped it secure data before any customer information could be disseminated or used.

In addition to wire fraud, Thompson was found guilty of five counts of unauthorized access to a protected computer and damaging a protected computer, the Justice Department said. She was found not guilty of aggravated identity theft and access device fraud.

Thompson is scheduled to be sentenced Sept. 15, the Justice Department said, and faces up to 20 years in prison for wire fraud. Illegally accessing a protected computer and damaging a protected computer are punishable by up to five years in prison, the agency said.

A lawyer for Thompson didn't immediately respond to a request for comment on the verdict.