View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 5, 2022updated 01 Nov 2022 11:38am

Former AWS engineer who hacked Capital One will face no further jail time

Former AWS employee convicted of lifting the data of 100 million capital one customers to receive no further jail time.

By Claudia Glover

The former AWS engineer behind the Capital One hack was sentenced yesterday to time served and five years probation, including computer and location monitoring. The US Department of Justice said it believes the sentence issued to Paige Thompson is too lenient for the crime, which saw her steal 100 million customer records from Capital One’s cloud database in 2019. The attack cost the bank $270m in compensation and fines.

Department of Justice confused by Capital One verdict
Paige Thompson sentenced to time served plus five years probation following her attack on Capital One. (Photo by DCStockPhotography at Shutterstock)

Thompson, whose online alias was “erratic”, was convicted of seven counts of wire fraud after uncovering Capital One’s misconfigured AWS storage buckets in 2019 and removing the data she found, in addition to other data heists.

She was also found guilty of five counts of unauthorised access to a protected computer and damaging an affected computer.

Capital One hack: Thompson sentence confuses DoJ

US Attorney Nick Brown expressed consternation at the verdict in a statement released by the DoJ, saying: “We are very disappointed with the court’s sentencing decision. This is not what justice looks like.”

In the sentencing hearing, District Judge Robert S Lasnik expressed sympathy for Thompson, explaining that time in prison would be particularly difficult for her due to her mental health and transgender status.

Reports from the hearing suggest that Judge Lasnik is aware of the danger that Thompson will commit further crimes outside of jail. “If that does happen,” he said, “I’ll admit my mistake. I believe in her and believe she will prove this is the right sentence.”

Asking the court to impose a seven-year sentence, the prosecution outlined how the former Seattle tech worker had built a tool to scan the web for misconfigured AWS accounts, hacking and downloading the data of more than 30 companies including Capital One.  

In a sentencing memo, prosecutors wrote that “Thompson’s crimes were fully intentional and grounded in spite, revenge and wilful disregard for the law. She exhibited a smug sense of superiority and outright glee while committing these crimes.” Thompson, it goes on, “was motivated to make money at other people’s expense, to prove she was smarter that the people she hacked and to earn bragging rights in the hacking community”.

Friends of Thompson argue her actions had an altruistic element. In a letter to the court, a friend of the hacker wrote: “Paige saw a situation where the information on which the financial system depends for its security was left utterly unguarded by its custodians.” The letter goes on to say: “Any random person with a computer could commit nearly limitless fraud.”

Thompson will be expected to pay a restitution amount for her convictions. The hearing to determine how much that will be is scheduled for 1 December.

The breach prompted Capital One to reach a $190m settlement with affected customers. The bank was also fined $80m by the Treasury Department for failing to secure its customers’ data.

Read more: The six biggest cyberattacks in history

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.