Ex-Amazon worker convicted in massive Capital One hack
Seattle WA July 19 2022 A former Amazon engineer was convicted Friday on federal charges stemming from a 2019 hack that compromised the accounts of 100 million credit card users.
A jury empaneled in Seattle found Paige Thompson guilty on seven counts related to computer and wire fraud. The verdict, delivered Friday afternoon, comes after eight days of testimony and one day of deliberations.
Thompson, 36, was responsible for one of the largest data breaches in U.S. history, in which she downloaded data from more than 100 million Capital One customers in 2019. The data included about 120,000 Social Security Numbers and about 77,000 bank account numbers.
To get that data, Thompson, who worked as a systems engineer for Amazon Web Services but left years before the hack, looked for AWS clients with misconfigured firewalls. She then exploited those weakness to impersonate an authorized user, the government argued.
Because Capital One’s internal system then recognized Thompson’s queries as coming from a “friendly” computer, the system fulfilled her requests for data. Prosecutors argued she also planted cryptocurrency mining software on the companies’ servers, essentially mooching their computing power to mine currency for her own benefit.
Thompson was convicted of one count of wire fraud and six counts of computer fraud and abuse. She was acquitted of one count of access device fraud and one count of aggravated identity theft.
“We’re thrilled with the verdict,” said Nick Brown, U.S. attorney for the Western District of Washington. “Hopefully it’s good deterrence for other people, like Ms. Thompson, who purport to be good-faith hackers, but who are in fact engaged in something far more dangerous.”
At the center of Thompson’s case were two differing interpretations of the key phrase “without authorization.” The U.S. Computer Fraud and Abuse Act, which Thompson was accused of violating, makes it illegal for anyone to intentionally access a computer “without authorization” or “exceeding authorized access.”
In its closing arguments, the government emphasized that Thompson did not have authorized access because she lacked explicit permission from Capital One or other breached companies to view and download their data.
The defense contended that Thompson’s actions were legal because the breached companies’ systems performed as they were programmed, and anyone with access to a web browser could’ve taken the same actions as Thompson.
As a rebuttal, the government used the analogy of hiding a house key under a door mat. Someone could walk through the neighborhood searching under every door mat and find the key, but just because it fits the lock doesn’t mean that the intruder had “authorization” to enter the house.
The government also used a sampling of Thompson’s tweets, Slack messages and chat board posts to argue that she was a calculated hacker motivated by greed, rather than a noble “white-hat hacker” trying to identify and patch vulnerabilities in companies’ online defenses.
Thompson’s attorney, federal public defender Mohammad Hamoudi, emphasized in closing arguments Thursday that even though Thompson didn’t have an engineering or computer science degree, computers helped her connect to people and communities outside her unstable home life. That same cold and inhuman world of computers could also make Thompson feel isolated and prompt her to act out.
He reminded the jury that Thompson’s friends testified to her often frenzied messages, sent from the apt username “erratic,” and asked the members to not give strong weight to the government’s handful of example messages.
Thompson remains free on bond pending sentencing later this year.
Seattle Times