No Prison for Seattle Hacker Behind Capital One $250 Million Data Breach
The former Amazon engineer whose 2019 hack compromised 100
million credit card users' accounts won't spend any additional time in jail.
Convicted in June on seven hacking-related charges, Seattle
resident Paige Thompson was sentenced Tuesday to time served and five years of
probation for violating an anti-hacking law known as the Computer Fraud and
Abuse Act.
Thompson, 37, was responsible for one of the largest data
breaches in U.S. history. She downloaded data from more than 100 million
Capital One users, including 120,000 Social Security numbers and about 77,000
bank account numbers. U.S. Attorney Nick Brown said Thompson "did more
than $250 million in damage to companies and individuals."
Prosecutors argued successfully that Thompson used a
software tool she built via Amazon Web Services to look for misconfigured
accounts. She then used the accounts to hack and download the data of more than
30 entities, including Capital One. The bank's internal system recognized
Thompson's queries as coming from a "friendly" computer, so it
fulfilled her data requests.
Arrested in July 2019, Thompson remained jailed until
November of that year.
In 2020, Capital One agreed to pay $80 million to settle
federal bank regulators' claims that it lacked security measures it needed to
protect customers' information. In December, the bank settled for $190 million
a class-action lawsuit filed by customers whose data was exposed in the breach.
At the sentencing hearing, U.S. District Judge Robert Lasnik
said time in prison would be particularly difficult for Thompson because of her
well-documented mental health issues and because she is transgender.
Thompson had contended she was attempting to collect a
bounty for spotting the vulnerability in the systems of the companies she
hacked. Such payments are sometimes paid to "white hat" hackers, who
try to identify and mend vulnerabilities in companies' online defenses.
"She wanted data, she wanted money and she wanted to
brag," Assistant U.S. Attorney Andrew Friedman said in closing arguments.
In a letter advocating for Thompson, a friend wrote that
"Paige saw a situation where the information on which the financial system
depends for its security was left utterly unguarded by its custodians."
The individual also wrote that while Thompson was wrong for
not reporting it, "any random person with a computer could commit nearly
limitless fraud."
Other supporters wrote that Thompson struggled with
substance abuse and dependence as a way to self-medicate for her mental health.
The defense said during the trial that her actions were
legal because the breached companies' systems performed as they were
programmed.
A jury in Seattle convicted Thompson on counts of wire
fraud, unauthorized access to a protected computer and damaging a protected
computer following an eight-day trial. The hearing to determine the restitution
amount Thompson must pay is scheduled for Dec. 1.
Comments
Post a Comment