“She wanted data, she wanted money and she wanted to brag”
This was what Assistant United States Attorney Andrew Friedman said of Paige Thompson in his closing arguments following the week long trial.
The jury voted to convict former Amazon software engineer, Paige Thompson following her “hack” of over 30 clients that used AWS. This included Capital One and has been called one of the largest data breaches in US history.
Prosecutors argued that Thompson started her employment with Amazon in 2016 and was able to gain access to misconfigured AWS accounts to steal personal information. She also installed crypto miners on servers that directly deposited into her own wallet.
The US Department of Justice announced that the 36 yr old was found guilty of wire fraud, five counts of unauthorised access to a protected computer and damaging a protected computer. The jury also found her not guilty of access device fraud and aggravated identity theft.
Ms Thompson’s legal team argued that essentially she was an ethical hacker. They argued that because she had used the same tools and methods as ethical hackers and because the Justice Department had previously stated that prosecutors should not use the law to pursue “hackers engaged in good-faith security research” this should also apply to Ms Thompson.
However prosecutors successfully argued that “Ms. Thompson used her hacking skills to steal the personal information of more than 100 million people, and hijacked computer servers to mine cryptocurrency,” said U.S. Attorney Nick Brown. “Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself.”
Prosecutors used Thompson’s texts and online chats to highlight how she used a tool she herself built to scan AWS accounts and look for misconfigured accounts. Once she found what she was looking for she gained access to them and downloaded the data. She spent hundreds of hours developing and enhancing her “scheme”. Prosecutors also showed evidence of her bragging about her illegal conduct to others via text and online forums.
One of the victims was Capital One. Thompson’s attack is claimed to have impacted more than 100 million U.S. Customers. The company was fined $80 million and had to settle subsequent lawsuits of circa $190 million.
She has been found guilty of Wire fraud – which is punishable by up to 20 years in prison. Her other charges that she was found guilty of, namely “Illegally accessing a protected computer and damaging a protected computer” are punishable by up to 5 years in prison. Thompson’s sentence will be decided by Judge Lasnik in September.
Thompson was an intentional insider threat. She had access and she had knowledge and expertise to pose a real threat. The Department of Justice doesn’t detail the issues .
There are a number of issues here from a security perspective.
- The clients and the AWS security set up was clearly inadequate. Vendors have to take more responsibility and so do the clients.
- Ms Thompson was employed by Amazon and possessed the access, knowledge and expertise to carry out the attacks undetected at the time.
- It is not known what Ms Thompson’s personal situation was but on discussion forums it is mooted she was experiencing great personal difficulties. There are also a wealth of accusations that Amazon provides little to no employee assistance schemes.
Evaluate, build or develop your insider threat program by ensuring:
- You build effective employee assistance programs to help people who are struggling;
- Monitor those with privileged access or access to R&D or sensitive information;
- Ensure all monitoring measures meet the test of “proportionate and necessary”;
- Train staff on what insider threats are and why its important to report them;
- Have an confidential internal whistleblowing program;
- Put in place effective access controls including least privilege; and
- Audit activity that could be vulnerable to fraud or sabotage being committed.
I spend a lot of time evaluating, building and enhancing insider threat programs. There is a common thread amongst those that are the most successful. They aren’t aggressively monitoring all staff or putting bio chips in people’s arms, they aren’t framing the employees as “threats” and they aren’t allowing whistleblowing policies to be misused. The most likely reasons for an intentional insider threat to manifest are disgruntlement, personal issues, financial issues or mental health / addiction issues. There is always a reason people do what they do. We can only speculate in Ms Thompson’s case but having effective employee assistance schemes is absolutely key and at the heart of an effective insider threat program.
The Department of Justice announcement can be found here: https://www.justice.gov/usao-wdwa/pr/former-seattle-tech-worker-convicted-wire-fraud-and-computer-intrusions