Ex-Amazon Employee Convicted Over Data Breach of 100 Million CapitalOne Customers

Paige Thompson, a former Amazon employee accused of stealing the personal information of 100 million customers by breaching banking giant CapitalOne in 2019, has been found guilty by a Seattle jury on charges of wire fraud and computer hacking. From a report: Thompson, 36, was accused of using her knowledge as a software engineer working in the retail giant's cloud division, Amazon Web Services, to identify cloud storage servers that were allegedly misconfigured to gain access to the cloud stored data used by CapitalOne. That included names, dates of birth, Social Security numbers, email addresses and phone numbers, and other sensitive financial information, such as credit scores, limits and balances. Some one million Canadians were also affected by the CapitalOne breach. Thompson also accessed the cloud stored data of more than 30 other companies, according to a superseding indictment filed by the Justice Department almost two years after Thompson was first charged, which reportedly included Vodafone, Ford, Michigan State University and the Ohio Department of Transportation.

Re: Lock her up

[TuballoyThunder]

No it only that, it was pointed out, multiple times, that the EU (particularly Germany) energy strategy was a bad idea. Gerhard Schroeder really got duped.

Troll food

[shanen]

First visible comment, so I score it as the first visible propagation of the troll Subject. Two points subtracted.

Re: Lock her up

[guruevi]

Actually, they could. Between Groningen, Scandinavia and North Sea deposits there is plenty. They could also bring back their nuclear sites. The problem is as always the green politics, regulations on carbon emissions etc. Now the Germans are turning their coal back on, because thatâ(TM)s better.

OT: buying from Putin

[mi]

Because Biden shut down Trump's [reuters.com] initiatives [cnbc.com], which would've replaced Russia with the US on European energy markets.

Democrats' worst problem with Putin's aggression is its "profound impact" on climate [nypost.com]. All the Kremlin asshole has to do, is buy carbon credits — I'm sure, Biden's Administration will allow him to use the frozen funds [nytimes.com] for that noble initiative — and the war (and the war-crimes) will be forgiven...

Re:

[ArchieBunker]

Can you post links for what Biden has shut down?

Re:

[ArchieBunker]

He pitched them natural gas but it never mentions them buying any. Can't blame them. Would you buy anything Trump is selling?

Re:

[mi]

Can you post links for what Biden has shut down?

Don't mind continuing off topic, eh? Ok:

Biden "suspended" sanctions on Putin's new pipeline

In preparation for war, Putin was building a natural gas pipeline bypassing Ukraine. Trump blocked its constructions [atlanticcouncil.org] by threatening Western companies participating in the project. Biden's Administration "suspended" the sanctions [yahoo.com] allowing the project to finish.

Right now the pipline remains "uncertified", but Ukraine can no longer threaten to block the gas transit through

Re:

[Anonymous Coward]

Couple notes:

Keystone XL was only 3% completed when cancelled, only dealt with shale oil that was primarily for export and overall was a huge boondoggle from the start. hardly a difference maker in 2022

also from your own article

"We've already seen domestic production ramp up," Alan Zibel, a research director at Public Citizen, told Newsweek.

Zibel noted that production "fell off a cliff" in the spring of 2020 due to the coronavirus pandemic but has been gradually coming back since, under both former preside

Re:

[slack_justyb]

Sorry if off-topic. I see the formatting that you used in your comment, with the horizontal rules and the indentation. <hr> however doesn't seem like a valid tag when I try it. If you have a chance, can you pastebin the html formatting that you used for your comment here? Slashdot's accepted tags have always been a frustrating part for me.

Re:

[shanen]

You like feeding trolls, do you? In the form of a tweet:

How can you discuss "rule of law" with someone who actively prefers "law of the jungle"?

  What's the moral difference between hanging Mike Pence, guns for "schools" in China or the USA, and dead Ukrainians and dead Russian soldiers? All the same?

Re:

[Virtucon]

What's that got to do with the price of tea in China? She/He/It/They doesn't matter, a person by policy and knowledge of the CFAA abused their privilege and accessed systems without authorization. Taking data, bragging about it on GitHub, and then thinking that nothing would happen was naive. This isn't a case of supposed over-prosecution as in the Aaron Swartz case, [forbes.com] not by a long shot.

Re:

[Virtucon]

Criminal activity is subjective. What may be considered no big deal in some jurisdictions could get you severe punishment in others. In this case, I don't believe the prosecution alleged that the information was sold or re-published. From the info on the DOJ site: [justice.gov]

Paige Thompson was a former software engineer at a Seattle technology company. She was charged in a criminal complaint with computer fraud and abuse for an intrusion on the stored data of Capital One Financial Corporation. According to the criminal complaint, Thompson posted on the information sharing site GitHub about her theft of information from the servers storing Capital One data. The intrusion occurred through a misconfigured web application firewall that enabled access to the data. On July 17, 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered a data theft. After determining on July 19, 2019, that there had been an intrusion into its data, Capital One contacted the FBI. Cyber investigators were able to identify Thompson as the person who was posting about the data theft. FBI agents executed a search warrant at Thompson’s residence and seized electronic storage devices containing a copy of the data.

If anything this proves that criminals are dumb.

Re:

[jmccue]

30 years minimum. White collar crime is worse than robbing a bank.

I think a little bit generic, but yes I expect at least 30 years. But my rule of thumb is stealing from the rich you get more time than a murder of poor people. The richer the person, the more time you do.

Data is a liability

[SomethingOrOther]

The likes of the GDPR should have educated management that data is also a liability, not just an asset.
And unnecessary data gathering is a major liability.

(And yes, I'm aware this data breach happened in 'murca.)

Re:

[bws111]

What data that they had ( names, dates of birth, Social Security numbers, email addresses and phone numbers, and other sensitive financial information, such as credit scores, limits and balances) are you pretending is unnecessary?

While I applaud the conviction...

[Virtucon]

Does it bother anybody that Ford, UMich, CaptialOne, et al. had insecure data in AWS?

Re:

[schwit1]

Tip of the iceberg.

Re:

[awwshit]

Maybe we should blame AWS for being insecure by default. One has to wonder who else accessed the data.

Re:

[drinkypoo]

Maybe we should blame AWS for being insecure by default.

You don't want to go down that road. Nothing good is down there. What we need is to make corporate officers personally responsible for these breaches. How they choose to store data and with whom is up to them, it needs to be their responsibility, which means they need to be held responsible. Literally nothing else will solve this problem under corporate capitalism.

Re:

[JeffOwl]

The issue is balancing accountability with the need for transparency about the breach. How did it happen? Who did it? What vulnerabilities did they exploit? What tools did they use? What data did they get? We do not want companies hiding the fact of the breach from customers or even the public. Do you want them just paying off the extortionists and pretending nothing happened to avoid consequences?

Re:

[awwshit]

There is plenty of blame to go around.

Re:

[drinkypoo]

Blaming Amazon for insecure defaults sets a precedent that might well destroy [F]OSS.

No question they should be encouraged to tighten things up, but providing foot-shooting ability is ultimately necessary.

Re:While I applaud the conviction...

[Virtucon]

AWS has big disclaimers on their services. From their TOS: [amazon.com]

4. Your Responsibilities.

4.1 Your Accounts. Except to the extent caused by our breach of this Agreement, (a) you are responsible for all activities that occur under your account, regardless of whether the activities are authorized by you or undertaken by you, your employees or a third party (including your contractors, agents or End Users), and (b) we and our affiliates are not responsible for unauthorized access to your account.

4.2 Your Content. You will ensure that Your Content and your and End Users’ use of Your Content or the Service Offerings will not violate any of the Policies or any applicable law. You are solely responsible for the development, content, operation, maintenance, and use of Your Content.

4.3 Your Security and Backup. You are responsible for properly configuring and using the Service Offerings and otherwise taking appropriate action to secure, protect and backup your accounts and Your Content in a manner that will provide appropriate security and protection, which might include use of encryption to protect Your Content from unauthorized access and routinely archiving Your Content.

4.4 Log-In Credentials and Account Keys. AWS log-in credentials and private keys generated by the Services are for your internal use only and you will not sell, transfer or sublicense them to any other entity or person, except that you may disclose your private key to your agents and subcontractors performing work on your behalf.

4.5 End Users. You will be deemed to have taken any action that you permit, assist or facilitate any person or entity to take related to this Agreement, Your Content or use of the Service Offerings. You are responsible for End Users’ use of Your Content and the Service Offerings. You will ensure that all End Users comply with your obligations under this Agreement and that the terms of your agreement with each End User are consistent with this Agreement. If you become aware of any violation of your obligations under this Agreement caused by an End User, you will immediately suspend access to Your Content and the Service Offerings by such End User. We do not provide any support or services to End Users unless we have a separate agreement with you or an End User obligating us to provide such support or services.

You the user of their services is responsible, they take no responsibility.

Re:While I applaud the conviction...

[Scoth]

In general, AWS goes out of its way to not be insecure by default. Things start out pretty locked down, and it takes a few steps to open things up. The problem is that people who don't what what they're doing just do easy "allow all" kind of rules, or disable various protections and permissions, which leads to things being insecure while still technically working. Some AWS services even pop up big banners when they're fully public to make sure devs are aware.

There are legitimate use cases for things set up that way, you can't really blame the service for improper use by devs/whomever. Although there's plenty of valid discussion to be had about "Cloud" in general as a concept and whether it's good to be using it for sensitive data at all.

Re:

[awwshit]

> Although there's plenty of valid discussion to be had about "Cloud" in general as a concept and whether it's good to be using it for sensitive data at all.

I think the cloud can be fine, with the proper controls in place.

Datacenter offerings have evolved, there is rented space where you do your own everything, there are hosted/dedicated computers, there are shared hardware environments, probably other things I'm not thinking of. When we talk about 'Cloud' and Software-as-a-Service, then we expect to be

Re:

[k6mfw]

I ask how does just one person able to commit such a breach?

Re:

[StormReaver]

Does it bother anybody that Ford, UMich, CaptialOne, et al. had...data in AWS?

Yes, very much. Whoever decided to store that information on an outside server needs some prison time to think about their easily avoidable idiocy.

Re: While I applaud the conviction...

[Goatbot]

Very common problem, the cost of security exceeds the cost of getting caught. Oftentimes ends up a financial decision risk vs reward. Do I spend a couple extra million just incase or do I let it ride and reap that reward.

Amazon HR has problems

[Vinegar Joe]

Maybe mentally ill people shouldn't be placed in positions of importance?
https://www.geekwire.com/2019/... [geekwire.com]

Re:

[JeffOwl]

Do you consider narcissism an illness? You may need to replace a large number CEOs in that case.

Re:

[DarkOx]

^^THIS^^

The whole event comes down to exploitation of a difficult to identify misconfiguration unless of course you have insider knowledge.

Simple reality is gender dysphoria where the person is so functionally impaired they can't engage in normative behavior, is a severe illness. These people should be committed and treated, not given high-trust positions because DEI

Re:

[King_TJ]

Hah! They downvoted you to "troll" status already. Predictable. But IMO, very good point. I was just thinking the same thing when I read the article. How incredibly rare to find a female hacker who was actually charged with a data breech this large. (Last time I read a "life story" about a lady hacker, it turned out she was primarily motivated by wanting to get herself into as many rock concerts for free as possible, and she graduated to doing some of the early phone phreaking back in the day. I'd have

Re: Her?

[MysteriousPreacher]

Reminds me of how women in the UK developed a predilection for sex crimes. Nobody understands why this suddenly happened?

NDA plays a big role

[jonalyn112385]

This will be a lesson for the employee and even freelancers to be more cautious when it comes to private details/information of the company/client. NDA must be recognized by both parties. https://jonalyncastroverde.wix... [wixsite.com]