Paige Adele Thompson, online handle erratic, is a former Amazon Web Services engineer convicted in June 2022 for the 2019 Capital One data breach — the exfiltration of personal information on approximately 100 million Capital One credit-card applicants and 6 million Canadian customers via a misconfigured Web Application Firewall on AWS.
The intrusion
Thompson had been employed by AWS until 2016, after which she remained active in security research and AWS-tooling communities. In March 2019, she scanned the public internet for misconfigured AWS Web Application Firewall instances — specifically those whose IAM roles granted excessive privileges to query S3 buckets via a server-side request forgery (SSRF) attack against the EC2 metadata service.
She found one at Capital One. The financial services company had deployed a WAF on AWS with an IAM role granting permission to list and read S3 objects across the bank's tenant. Thompson:
- Identified the misconfigured WAF.
- Exploited the SSRF to retrieve temporary IAM credentials from the EC2 metadata service.
- Used those credentials to list and download S3 objects — including 140,000 U.S. Social Security numbers, 80,000 U.S. bank account numbers, 1 million Canadian Social Insurance Numbers, and personal data on roughly 106 million applicants and customers.
The exfiltration took place between 22 and 23 March 2019.
Disclosure and arrest
Thompson took no steps to monetise the data. Instead she posted about it openly on:
- Slack groups for security researchers.
- GitHub (her personal repositories listed the exfiltrated S3 bucket names).
- Twitter under the handle @0xA3A97B6C.
A researcher who saw her posts notified Capital One on 17 July 2019 via the bank's responsible disclosure programme. Capital One investigated, confirmed the breach, and contacted the FBI within 48 hours.
The FBI's investigation took two weeks. Thompson was arrested at her Seattle residence on 29 July 2019 without resisting. The data had not been redistributed; the FBI recovered the exfiltrated files from her devices.
Trial and conviction
Thompson was charged with seven counts including computer fraud and abuse, identity theft, and wire fraud. Her defence argued that she was an ethical-hacking researcher whose actions were equivalent to a security audit. The prosecution presented evidence that she had also exfiltrated data from 30+ additional misconfigured AWS-hosted organisations beyond Capital One — including a state agency, a public research university, and several technology companies — establishing that the conduct was systematic rather than a single ethics-driven test.
In June 2022, a federal jury in the Western District of Washington found Thompson guilty on five of seven counts. In October 2022, she was sentenced to time served plus five years of probation — a notably lenient sentence given the scale of the breach, reflecting the judge's view that Thompson had not monetised or further distributed the data and had cooperated extensively with the FBI.
Attributed incidents
Why it matters
The Thompson case is the canonical case for cloud misconfiguration as a primary breach vector. It established:
- That WAF + IAM role + SSRF is a well-defined attack chain against AWS deployments — and one that Capital One's standard cloud configuration permitted without raising any internal alerts.
- That insider knowledge of cloud-platform internals lowers the technical bar for cloud breaches dramatically. Thompson had worked at AWS; she knew the specific IAM behaviours that turned a misconfigured WAF into an S3-listing capability.
- That opportunistic mass-scanning for cloud misconfigurations is an established attacker behaviour and a continuing operational reality. Tools like Pacu, Prowler, and ScoutSuite are part of the standard cloud-pentesting toolkit; their malicious-use variants run continuously on the public internet.
Capital One paid an $80 million OCC fine and ~$190 million class-action settlement in addition to the direct remediation costs.