By: Sunnie Gao
Former Amazon software engineer Paige Thompson, 36, was accused of stealing customers’ personal information from Capital One in one of the biggest breaches to ever occur in the U.S. She was found guilty of seven federal crimes, including wire fraud and hacking charges last Friday, and violating the Computer Fraud and Abuse Act, an anti-hacking law that forbids computer access without authorization.
In 2019, Paige Thompson downloaded personal information belonging to more than 100 million Capital One customers. The data included around 120,000 Social Security Numbers and around 77,000 bank account numbers. Capital One has agreed to pay 80 million dollars in order to settle federal bank regulators’ claims that Capital One lacked proper cybersecurity measures, including security measures that would protect customers’ information. In fact, in December, Capital One has agreed to pay 190 million more to those whose data had been exposed in the breach. “In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders.” Titiana Stead, a Capital One spokeswoman, states.
Capital One first discovered the breach after a woman who had spoken to Ms. Thompson reported the problem to them. Capital One then passed the information to the Federal Bureau of Investigation, where Ms. Thompson was arrested soon after.
Ms. Thompson’s legal team has argued that she was using the same methods and tools as ethical hackers, who hunt for cracks in the software and report them so they can be fixed and that she was suffering from mental health issues all the while.
However, on the opposing side, the Justice Department argued that Ms. Thompson had no intention of alerting Capital One to the problems that had allowed her to access customer’s data but instead took advantage of it, bragging to her online friends about what she had discovered, and using her access to Capital One servers to mine cryptocurrency. As Andrew Friedman, an assistant U.S. attorney stated in his closing argument, “She wanted data, she wanted money, and she wanted to brag.”
After seven days of trial and deliberating for 10 hours, the jury finally reached a verdict, finding Ms. Thompson guilty of five counts of gaining unauthorized access to a protected computer and damaging a protected computer, adding on to the wire fraud charges. Wire fraud is punishable by up to 20 years in prison, while the other charges can bring up a five-year maximum. She was found not guilty of identity theft and access device fraud and will be sentenced on September 15.
“Ms. Thompson used her hacking skills to steal the personal information of more than 100 million people and hijacked computer servers to mine cryptocurrency. Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself.” Nicholas W. Brown, the U.S. attorney for the Western District of Washington, said in a statement.
Ms. Thompson’s lawyer declined to comment on the verdict.