Just as Amazon stores millions of physical goods in a dizzying array of warehouses, Amazon Web Services hosts large amounts of data for other companies that rent space on its servers. Among his clients was Capital One.
In early 2019, several years after she quit working for Amazon Web Services, Ms. Thompson tracked down her clients who hadn’t properly configured firewalls to protect their data. “Thompson scanned tens of millions of AWS customers for vulnerabilities,” Brown wrote in a legal filing. In March, she discovered a vulnerability that allowed her to download data from Capital One, the prosecutor added.
In June 2019, Ms Thompson messaged a woman online and disclosed what she found, according to legal documents. Ms Thompson added that she had considered sharing the data with a scammer and said she would publicly reveal her involvement in the breach.
“I basically strapped myself in with a bomb vest,” Ms Thompson said in copies of the online chat that were included in court filings, referring to her intention to publicly release the data and expose herself.
The woman suggested that Ms Thompson turn herself in to authorities, prosecutors said. A month later, the woman contacted Capital One and informed the bank of the breach. Capital One notified law enforcement officials and Ms Thompson was arrested in late July 2019. If convicted, she faces more than 30 years in prison.
“The government-submitted snapshots are an incomplete and inaccurate portrayal of a life more aptly described as one of survival and resilience,” wrote Mohammad Ali Hamoudi, a lawyer representing Ms Thompson, and other members of his team. legal team in a file. Ms Thompson had sought mental health treatment, they added, demonstrating her determination to confront her problems.
In 2020, Capital One agreed to pay $80 million to settle claims by federal banking regulators that it lacked the security protocols needed to protect customer data. The settlement also forced the bank to work quickly to improve its security. In December, Capital One agreed to pay $190 million to people whose data was exposed in the breach, settling a class action lawsuit.