• EWC Community

Ex-Amazon Worker Convicted in Capital One Hacking

By: The New York Times

Paige Thompson, a former Amazon engineer, was recently accused of stealing personal information from customers at Capital One in one of the largest breaches in the United States. She was found guilty of wire fraud and hacking charges on Friday. Ms. Thompson worked as a software engineer and also ran a community online for other workers in her industry. She started downloading personal information in 2019 from over 100 million Capital One customers. Although her legal team argued that she was using the same tools and methods as other hackers who look for software vulnerabilities and report them so they can be fixed, the Justice Department said that she never alerted Capital One about the problems in their system that allowed her to gain access to millions of customers’ data. She also allegedly bragged about the vulnerabilities she found and information she downloaded to her online friends. Ms. Thompson also “used her access to Capital One’s servers to mine cryptocurrency,” the Justice Department said. In other words, the Justice Department believes she just wanted money, data, and to brag about her achievements. Ms. Thompson’s case got attention from the tech industry because of her charges under the Computer Fraud and Abuse Act. Many critics of the law argued that her case was so broad it allowed for the prosecution of “white hat hackers.”. Last month, the Justice Department told prosecutors that they shouldn’t use the law to pursue hackers who engaged in “good-faith security research.” The jury deliberated for 10 hours before finding Ms. Thompson guilty of gaining unauthorized access to a protected computer damaging a protected computer, the wire fraud charges. She is scheduled to be sentenced on September 15. Capital One discovered the breach in July 2019 after a woman who spoke to Ms. Thompson reported the data to Capital One. They passed the information to the Federal Bureau of Investigation, and Ms. Thompson was arrested not too long after. Regulators said Capital One lacked security measures it needed to ensure customer safety and protect their information. In 2020, the bank agreed to pay $80 million to settle those claims, and in December, also agreed to pay $190 million to the people who had their personal information stolen. “Ms. Thompson used her hacking skills to steal the personal information of more than 100 million people, and hijacked computer servers to mine cryptocurrency,” said Nicholas W. Brown, the U.S. attorney for the Western District of Washington. “Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself.”

10 views0 comments