A 36-year-old Seattle tech worker has been convicted of seven counts of data theft in connection with the infamous 2019 Capital One data breach – punishable by up to 20 years in prison.
In this case, Paige Thompson, who worked under the hacker handle “Uncertain”, placed more than 100 million credit applications in the cloud in the wrongly configured Amazon Web Services storage bucket in the cloud. He was arrested after the banking giant found him with malicious activity and alerted the FBI.
“Mrs. Thompson used her hacking skills to steal the personal information of more than 100 million people and hijack computer servers to mine cryptocurrencies,” said U.S. Attorney Nick Brown. In a statement. “Far from being an ethical hacker, trying to help companies secure their computers, he used mistakes to steal valuable data and tried to enrich himself.”
Prosecutors noted that Thompson specifically used a scanner to detect AWS incorrect configurations, where databases were left open on the Internet without the necessary authentication for access. In all, he was able to infiltrate a database of 30 entities, including Capital One – stealing data and, in some cases, cryptocurrency miners.
According to a Justice Department statement, Thompson “spent hundreds of hours advancing his plan and bragging about his illegal behavior to others through text or online forums.”
After seven days of trial and 10 hours of deliberations, a jury in Seattle’s U.S. District Court found Thompson guilty of wire fraud, five counts of unauthorized access to a secure computer, and damage to a secure computer. The jury found him guilty of access-device fraud and aggravated assault.
Thompson is scheduled to be sentenced by U.S. District Judge Robert S. Lasnick on September 15.
“He wanted data, he wanted money, and he wanted to brag,” said Assistant U.S. Attorney Andrew Friedman in the final argument.
Capitol One said in a media statement, “We are pleased with the outcome of the trial and thank the U.S. Attorney’s Office in Seattle and the FBI’s Seattle Field Office for their tireless efforts in this important case.”
Cloud misconfiguration remains widespread
While Thompson was leaning towards malicious activity, the incident also brought to the fore the issue of cloud-security responsibilities and incorrect configuration. Capital One has been found guilty of failing to keep sensitive financial information open to the public, resulting in a 80 million fine. This too The customer settled the lawsuit for 190 million – Not a cheap result.
“Capital One infringement really puts cloud security at the forefront of many initiatives,” said John Bambanek, Netenrich’s main threat victim. “Previously, there was a misconception that cloud companies would handle security and that the default settings were ‘secure enough’.” The reality is that the shared-security model requires users to ensure that their cloud environment is secure and that data is not accidentally leaked. “
In its recent report on cloud misconfiguration, the security agency Rapid7 noted that violations arising from cloud misconfiguration continue to occur with “tragic frequencies”.
“First and foremost, you should be aware that individuals are actively seeking the wrong configuration of cloud services on a daily basis,” the researchers warned in the report. “Given the right tooling, finding these cracks on a scale in the cloud is almost trivial for any medium-sized person, and they don’t even need to specifically target your organization so that this unwanted misconfiguration reveals sensitive data. In your care.”
For example, earlier this month, researchers at the SecureWorks Counter-Threat Unit (CTU) found that cyber-attackers were targeting misconfigured elastic search cloud buckets for extortion purposes. After finding the data exposed on the public Internet, the attackers widely stole open data and replaced it with a ransom note. At that time, about 1,200 cases were affected.
Thus, enterprises should dedicate resources to cloud security, including planning secure and resilient configurations and monitoring automated processes for errors and oversight, the researchers noted.
Bambanek says there is evidence that things are getting better.
“It’s been a few years, but we’re taking practical steps for security tools to detect not only the default-protected settings, but also the wrong configuration and malicious behavior in the cloud environment,” he told Dark Reading.
