A former Amazon software engineer who allegedly stole personal data of more than 100 million credit card customers claims she was trying to expose vulnerabilities in Capital One’s online system.
Paige Thompson, 36, of Seattle, is accused of hacking into Capital One’s stored data and downloading private information, including bank account and social security numbers, from customers’ credit card applications.
She allegedly violated the Computer Fraud and Abuse Act, an anti-hacking law that forbids access to a computer without authorization, the criminal complaint states.
However, her attorneys argue her actions were that of a ‘novice white-hat hacker’ trying who was scanning the online interface for vulnerabilities and exploring what she exposed.
Critics of the Computer Fraud and Abuse Act allege the ‘loose’ law allows for protections for hackers who find vulnerabilities in online systems.
Thompson, whose federal trial began in Washington state on Tuesday, faces 10 counts of computer fraud, wire fraud and identity theft. She has pleaded not guilty to the charges and, if convicted, could be sentenced to up to 30 years in prison.
Attorneys representing Paige Thompson (pictured) allege she was trying to expose vulnerabilities in Capital One’s data system when she hacked the bank and stole personal data belonging to more than 100 million customers
Analysts predict Thompson’s trial will heavily scrutinize the methods she used to hack Capital One and her plans for the stolen data.
Prosecutors claim Thompson intended to use the stolen information to conduct identity theft. They also allege she took advantage of her access to corporate servers in a scheme to mine cryptocurrency.
Thompson’s lawyers have argued her discovery of the ‘flaws’ in Capital One’s data storage system was part of ‘good-faith research’.
They claim her hacking methods ‘reflected the same practices used by legitimate security researchers’ and fall under the Computer Fraud and Abuse Act statute that protects those who find vulnerabilities in online systems.
‘They are interpreting a statute so broadly that it captures conduct that is innocent and as a society we should be supporting, which is security researchers going out on the internet and trying to make it safer,’ defense attorney Brian Klein The New York Times.
He also argued the current law ‘doesn’t give a lot of visibility to people on what could get you in trouble and what couldn’t get you in trouble.’
The prosecution, however, argues Thompson had no interest in helping the bank improve its security and sought to profit from the breach. Thompson’s Seattle home is pictured in July 2019 after federal agents raided the property
The Justice Department claims Thompson violated the Computer Fraud and Abuse Act, an anti-hacking law that forbids access to a computer without authorization. But her lawyers have argued her discovery of the ‘flaws’ in Capital One’s data storage system was part of ‘good-faith research’ and falls under the statute that protects those who find vulnerabilities in online systems. Federal agents are pictured at her Seattle home in July 2019
However, the Justice Department alleges Thompson had no interest in helping the bank improve its security and therefore cannot be considered a ‘white hat’ hacker.
The feds cited instances of her apparently bragging about the theft online and chats in which she allegedly detailing how she may be able to profit from the breach.
‘Even if her actions could be broadly characterized as ‘research,’ she did not act in good faith,’ Nicholas W. Brown, the U.S. attorney for the Western District of Washington, stated. ‘She was motivated both to make money and to gain notoriety in the hacking community and beyond.’
Mohammad Ali Hamoudi, another member of her defense, hit back, saying: ‘The snapshots submitted by the government are an incomplete and inaccurate portrayal of a life more fairly described as one of survival and resilience.’
He also noted how his client had sought mental health treatment, ‘demonstrating her resolve to confront her problems.’
Thompson hacked Capital One between March and July 2019. Her trial began in federal court on Tuesday. She faces 10 counts of computer fraud, wire fraud and identity theft and has pleaded not guilty to the charges. If convicted, she could be sentenced to 30 years in prison
The FBI launched an investigation into Thompson in 2019 after Capital One learned it was the subject of one of the largest data breaches in U.S. history.
According to the criminal complaint, Thompson ‘intentionally’ accessed the data sometime between March and July 2019 breaking into the bank’s servers through a misconfiguration in its firewall.
She obtained personal data from the banking platform’s online system, including 140,000 Social Security numbers and 80,000 bank account numbers.
Investigators allege she then saved then downloaded the information, creating an archive of the stolen data, and stored it on Amazon’s Web Services cloud.
Amazon, at the time, insisted it was not to blame for the hack and argued Thompson exploited Capital One’s systems to access it.
Capital One admitted that it was a fault in its infrastructure, and not Amazon’s, which led to the breach.
Capital One received an anonymous email in July 2019 alerting the bank had been hacked
After allegedly stealing the data, Thompson left authorities a trail of breadcrumbs, posting online about the hack so much that fellow hackers expressed concern.
‘Sketchy s***…don’t go to jail plz,’ an alleged hacker warned Thompson, who went by the alias ‘erratic,’ in a chat in June 2019.
‘I wanna get it off my server that’s why I’m archiving all of it lol,’ she replied. ‘I just dont want it around though. I gotta find somewhere to store it.’
She also allegedly admitted to the theft in a Twitter chat message reading: ‘I’ve basically strapped myself with a bomb vest, f*****g dropping capitol ones dox and admitting it…
‘I wanna distribute those buckets i think first.’
The FBI states that ‘buckets’ is synonymous with file folders. By ‘distributing buckets,’ Thompson allegedly meant that she sought to ‘disseminate data stolen from victim entities, starting with Capital One.’
Thompson left a trail of bread crumbs for authorities by posting about the hack online
She not only discussed the hack online but seemingly threatened to release the stolen data
Her online postings about the hack were reported to Capital One in July 2019 by a white hat hacker.
The informant sent an anonymous email to the bank claiming to have read about the hack Github, an online information sharing platform.
The email contained a link whose address included Thompson’s full name – ‘paigeadelethompson’.
Authorities say that they became convinced that Thompson was the owner of the GitHub page.
The page also included a number of server list IP addresses that match the same addresses used by the hacker who broke into Capital One, the complaint stated.
Thompson was arrested in late July 2019.
In August 2020, Capital One Financial Corp was fined $80 million by a top banking regulator in connection to the hack.
Federal regulators alleged the bank lacked the security protocols needed to protect customers’ data.
Capital One was also ordered to enhance its risk-management program and related governance and controls around cybersecurity and information security.
Last December, the bank settled a class-action lawsuit by agreeing to pay $190 million to customers whose data had been exposed during the breach.