View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
June 20, 2022updated 05 Aug 2022 8:44am

Former AWS engineer convicted over hack that cost Capital One $270m

Paige Thompson developed a tool to identify misconfigured AWS accounts and stole customer data from Capital One and others.

By Pete Swabey

A former AWS engineer has been convicted of seven counts of fraud after the personal data of more than 100 million people was stolen from unsecured accounts on the cloud platform. The breach has so far cost US bank Capital One, one of the 30 institutions affected, more than $270m in compensation and regulatory fines.

A New York bank branch of hacked bank Capital One
Capital One has paid $270m in compensation and fines over the breach, in which customer data was stolen from an unsecured AWS storage bucket. (Photo by ProArtWork/iStock)

Paige Thompson was arrested in July 2019, after Capital One alerted the FBI to the breach. Prosecutors alleged that she had stolen personal data of more than 100 million of the company’s customers, including 140,000 Social Security numbers and 80,000 bank account numbers.

Capital One, which is one of 30 institutions hacked by Thompson, was fined $80m by a US regulator in August 2020 over its failure to properly secure its customers’ data. Last month, it agreed to pay $190m to settle a class action law suit representing customers affected by the breach.

“Thompson used a tool she built to scan Amazon Web Services accounts to look for misconfigured accounts,” said the US attorney for the state of Washington in a statement. “She then used those misconfigured accounts to hack in and download the data of more than 30 entities, including Capital One bank.”

Thompson, who was employed by AWS between 2015 and 2016, also used the breached accounts to mine for cryptocurrency, a practice known as cryptojacking, prosecutors said.

How did the Capital One hack happen?

Capital One received an anonymous tip-off of the breach in July 2019, alerting the company that data taken from an S3 storage bucket operated by the bank has been leaked on GitHub. The S3 bucket had “a firewall misconfiguration”, the US Department of Justice said at the time.

The FBI traced Thompson to a Slack channel in which we she claimed to possess the stolen data. She also talked about her intention to check into a psychiatric institution.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Thompson will be sentenced in September.

Misconfigured AWS instances have led to a number of high-profile data breaches. Earlier this month, researchers revealed that 6.5 terabytes of data belonging to Turkish airline Pegasus Airlines, including personal data on customers and employees, was exposed in a insecure AWS storage bucket. And in 2017, 100GB of data belonging to US Intelligence and Security Command was discovered in a misconfigured bucket.

Anti-malware software provider Malwarebytes detected a 300% increase in ‘cryptojacking’ malware last year, as the price of cryptocurrencies – in particular, Monero –  grew.

Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit

Read more: Suspected cyberattack triggers missile sirens in Israel

Topics in this article : ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.