A former AWS engineer has been convicted of seven counts of fraud after the personal data of more than 100 million people was stolen from unsecured accounts on the cloud platform. The breach has so far cost US bank Capital One, one of the 30 institutions affected, more than $270m in compensation and regulatory fines.
Paige Thompson was arrested in July 2019, after Capital One alerted the FBI to the breach. Prosecutors alleged that she had stolen personal data of more than 100 million of the company’s customers, including 140,000 Social Security numbers and 80,000 bank account numbers.
Capital One, which is one of 30 institutions hacked by Thompson, was fined $80m by a US regulator in August 2020 over its failure to properly secure its customers’ data. Last month, it agreed to pay $190m to settle a class action law suit representing customers affected by the breach.
“Thompson used a tool she built to scan Amazon Web Services accounts to look for misconfigured accounts,” said the US attorney for the state of Washington in a statement. “She then used those misconfigured accounts to hack in and download the data of more than 30 entities, including Capital One bank.”
Thompson, who was employed by AWS between 2015 and 2016, also used the breached accounts to mine for cryptocurrency, a practice known as cryptojacking, prosecutors said.
How did the Capital One hack happen?
Capital One received an anonymous tip-off of the breach in July 2019, alerting the company that data taken from an S3 storage bucket operated by the bank has been leaked on GitHub. The S3 bucket had “a firewall misconfiguration”, the US Department of Justice said at the time.
The FBI traced Thompson to a Slack channel in which we she claimed to possess the stolen data. She also talked about her intention to check into a psychiatric institution.
Thompson will be sentenced in September.
Misconfigured AWS instances have led to a number of high-profile data breaches. Earlier this month, researchers revealed that 6.5 terabytes of data belonging to Turkish airline Pegasus Airlines, including personal data on customers and employees, was exposed in a insecure AWS storage bucket. And in 2017, 100GB of data belonging to US Intelligence and Security Command was discovered in a misconfigured bucket.
Anti-malware software provider Malwarebytes detected a 300% increase in ‘cryptojacking’ malware last year, as the price of cryptocurrencies – in particular, Monero – grew.