Three years in the past, Capital One Financial Corporation suffered an enormous information breach that uncovered prospects’ private info. Rather than being the sufferer of social engineering or a ransomware assault, it turned out that Capital One had misconfigured its internet utility, leaving its system susceptible to a breach. The perpetrator, Paige Thompson, is a former Amazon engineer, which can be why she was conscious of this misconfiguration, as Capital One’s system operated on Amazon Web Services (AWS).

Thompson, who was 33 years previous on the time of the breach, stole the non-public info of greater than 100 million Capital One prospects. This info included Social Security numbers and checking account numbers. Thompson bragged about her unauthorized exfiltration of this information on GitHub. Online chat logs show that she thought-about sharing the stolen info with a scammer and deliberate to publish the information whereas exposing her involvement. A lady in touch with the perpetrator recommended that Thompson flip herself in to regulation enforcement, however, after a month of inaction on the a part of Thompson, the lady knowledgeable Capital One of the breach.

The Amazon Spheres at Amazon headquarters in Seattle (source: Wikipedia consumer Biodin)

Multiple years after leaving Amazon, the previous worker constructed a software to scan for the firewall misconfiguration amongst AWS prospects and ended up discovering that Capital One’s system was susceptible on this manner. Thompson’s legal professionals argued that she was utilizing the strategies of moral hackers to find vulnerabilities. However, slightly than informing Capital One of the misconfiguration, as an moral hacker would, Thompson as a substitute stole buyer info and used the monetary agency’s AWS servers to mine cryptocurrency.

Now, three years after the breach, a Seattle jury has discovered Thompson responsible of violating the Computer Fraud and Abuse Act. More particularly, the jury declared her responsible on 5 counts of gaining unauthorized entry to a protected laptop and damaging a protected laptop, in addition to wire fraud. However, the jury discovered Thompson not responsible of entry system fraud and aggravated identification theft.

Thompson’s sentence is but to be determined, however unauthorized entry to a protected laptop and damaging a protected laptop are punishable by as much as 5 years in jail, and wire fraud is punishable by as much as twenty years in jail, so Thompson may have an extended sentence forward of her.

Top picture courtesy of Wikipedia consumer Tdorante10