A former Amazon engineer was convicted Friday on federal costs stemming from a 2019 hack that compromised the accounts of 100 million bank card customers.
A jury empaneled in Seattle discovered Paige Thompson responsible on seven counts associated to pc and wire fraud. The verdict, delivered Friday afternoon, comes after eight days of testimony and someday of deliberations.
Thompson, 36, was answerable for one of many largest knowledge breaches in U.S. historical past, wherein she downloaded knowledge from greater than 100 million Capital One clients in 2019. The knowledge included about 120,000 Social Security Numbers and about 77,000 checking account numbers.
To get that knowledge, Thompson, who labored as a programs engineer for Amazon Web Services however left years earlier than the hack, seemed for AWS shoppers with misconfigured firewalls. She then exploited these weak spot to impersonate a licensed consumer, the federal government argued.
Because Capital One’s inner system then acknowledged Thompson’s queries as coming from a “friendly” pc, the system fulfilled her requests for knowledge. Prosecutors argued she additionally planted cryptocurrency mining software program on the businesses’ servers, primarily mooching their computing energy to mine foreign money for her personal profit.
Thompson was convicted of 1 rely of wire fraud and 6 counts of pc fraud and abuse. She was acquitted of 1 rely of entry gadget fraud and one rely of aggravated identification theft.
At the middle of Thompson’s case had been two differing interpretations of the important thing phrase “without authorization.” The U.S. Computer Fraud and Abuse Act, which Thompson was accused of violating, makes it unlawful for anybody to deliberately entry a pc “without authorization” or “exceeding authorized access.”
In its closing arguments, the federal government emphasised that Thompson didn’t have approved entry as a result of she lacked specific permission from Capital One or different breached firms to view and obtain their knowledge.
The protection contended that Thompson’s actions had been authorized as a result of the breached firms’ programs carried out as they had been programmed, and anybody with entry to an internet browser might’ve taken the identical actions as Thompson.
As a rebuttal, the federal government used the analogy of hiding a home key underneath a door mat. Someone might stroll by way of the neighborhood looking out underneath each door mat and discover the important thing, however simply because it suits the lock doesn’t imply that the intruder had “authorization” to enter the home.
The authorities additionally used a sampling of Thompson’s tweets, Slack messages and chat board posts to argue that she was a calculated hacker motivated by greed, fairly than a noble “white-hat hacker” making an attempt to determine and patch vulnerabilities in firms’ on-line defenses.
Thompson’s lawyer, federal public defender Mohammad Hamoudi, emphasised in closing arguments Thursday that regardless that Thompson didn’t have an engineering or pc science diploma, computer systems helped her hook up with folks and communities exterior her unstable house life. That identical chilly and inhuman world of computer systems might additionally make Thompson really feel remoted and immediate her to behave out.
He reminded the jury that Thompson’s associates testified to her usually frenzied messages, despatched from the apt username “erratic,” and requested the members to not give sturdy weight to the federal government’s handful of instance messages.
Thompson stays free on bond pending sentencing later this yr.