• EWC Community

Former Amazon Worker Convicted for 2019 Capital One Breach

Updated: Jun 26

By: Michael Chuang

Last Friday, Paige Thompson, a former Amazon employee, was found guilty of wire fraud and hacking charges for stealing the personal information of more than 100 million people from Capital One.

Paige Thompson was charged under the Computer Fraud and Abuse Act (CFAA), a law prohibiting computer-related behavior. Ms. Thompson’s actions violated the CFAA, according to a Seattle jury.

Back in July of 2019, she gained access to over 100 million Capital One customers’ private data and proceeded to download the information. Capital One was notified only after a woman had spoken to Ms. Thompson regarding the data.

According to The New York Times, “Her legal team argued that she had used the same tools and methods as ethical hackers who hunt for software vulnerabilities and report them to companies so they can be fixed.” However, the Justice Department stated that Ms. Thompson had no intention to warn Capital One of these software vulnerabilities that granted her access to the sensitive data. In contrast, Ms. Thompson used her access to brag to her online friends.

Instead of reporting the problems to Capital One, Ms. Thompson took the information to her advantage to access Capital One’s servers, in which she proceeded to mine cryptocurrency. Andrew Freidman, an assistant U.S. attorney, said, “She wanted data, she wanted money, and she wanted to brag.”

A year after the breach, Capital One paid $80 million to improve security measures to ensure the protection and privacy of customer information. Later the same year, Capital One compensated $190 million to people who had been affected by the breach.

Nickolas W. Brown, the U.S. attorney for the Western District of Washington said, “Far from being an ethical hacker trying to help companies with their computer security, [Ms. Thompson] exploited mistakes to steal valuable data and sought to enrich herself.”

On top of wire charges, the jury examined the case for 10 hours before concluding Ms. Thompson guilty of five counts of acquiring unaccredited access and damaging a private computer. However, Ms. Thompson was found innocent of identity theft and access device fraud. Her sentence is scheduled for September 15.

36 views0 comments