An ex-Amazon Web Services engineer accused of a massive hack in 2019 was found guilty of seven federal crimes on Friday in the U.S. District Court of Seattle.
Prosecutors showed how Paige Thompson built a tool that identified misconfigured AWS accounts and used them to access data from more than 30 entities, including Capital One, an AWS customer. More than 100 million Capital One customers were affected. It was one of the largest breaches of a major financial service.
A jury found that Thompson violated the Computer Fraud and Abuse Act, which drew attention last month after the Justice Department revised its policy for charging cases under the Act and said “good-faith security research should not be charged.”
Thompson was found guilty of wire fraud, five counts of unauthorized access to a protected computer, and damaging a protected computer. She used the illegal access to earn income from cryptocurrency mining software that was planted on new servers, according to the suit. Thompson was found not guilty of access device fraud and aggravated identity theft.
“Ms. Thompson used her hacking skills to steal the personal information of more than 100 million people, and hijacked computer servers to mine cryptocurrency,” U.S. Attorney Nick Brown said in a press release. “Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself.”
Thompson worked at Amazon as a systems engineer from 2015 to 2016.
Capital One ended up paying $80 million in fines and $190 million to settle a class-action lawsuit related to the hack.
Thompson, 36, is scheduled for sentencing on Sept. 15. Wire fraud is punishable by up to 20 years in prison; illegally accessing a protected computer and damaging a protected computer are punishable by up to five years.