Accused Capital One Hacker Stands Trial for Fraud and Identity Theft

Accused Capital One Hacker Stands Trial for Fraud and Identity Theft

Nearly 3 a long time just after the disclosure of one particular of the major info breaches in the United States, the previous Amazon employee accused of stealing customers’ personal information from Capital One is standing demo in a situation that will take a look at the power of American anti-hacking regulation.

Paige Thompson worked as a computer software engineer in Seattle and ran an online group for other programmers. In 2019, she downloaded personal data belonging to far more than 100 million Capital One particular buyers, the Justice Division said.

The details arrived from programs for credit rating playing cards, and incorporated 140,000 Social Safety figures and 80,000 financial institution account figures. She faces 10 counts of pc fraud, wire fraud and identification theft in a federal demo that started on Tuesday in Seattle.

The techniques Ms. Thompson applied to find out the facts, and what she prepared to do with it, will be closely scrutinized in the scenario. Ms. Thompson, 36, is accused of violating an anti-hacking law recognized as the Personal computer Fraud and Abuse Act, which forbids obtain to a computer system without authorization. Ms. Thompson has pleaded not responsible, and her lawyers say her steps — scanning for on the net vulnerabilities and exploring what they uncovered — ended up all those of a “novice white-hat hacker.”

Credit score…Stacey Brownstein

Critics of the computer system fraud law have argued that it is way too wide and will allow for prosecutions versus folks who discover vulnerabilities in on the internet units or crack electronic agreements in benign methods, like employing a pseudonym on a social media internet site that demands users to go by their actual names.

In latest many years, courts have begun to agree. The Supreme Court docket narrowed the scope of the regulation final calendar year, ruling that it could not be applied to prosecute people who had legitimate accessibility to facts but exploited their obtain improperly. And in April, a federal appeals courtroom ruled that automatic details selection from web-sites, acknowledged as net scraping, did not violate the regulation. Final month, the Justice Division instructed prosecutors that they should no for a longer time use the law to go after hackers who engaged in “good-faith stability exploration.”

Ms. Thompson’s demo will increase questions about how considerably stability scientists can go in their pursuit of cybersecurity flaws ahead of their steps break the legislation. Prosecutors stated Ms. Thompson experienced planned to use the info she gathered for identification theft, and experienced taken edge of her access to company servers in a scheme to mine cryptocurrency. But her attorneys have argued that Ms. Thompson’s discovery of flaws in Cash One’s knowledge storage program reflected the very same tactics employed by legit protection scientists and should really not be viewed as legal action.

“They are decoding a statute so broadly that it captures perform that is innocent and as a modern society we need to be supporting, which is security researchers likely out on the internet and trying to make it safer,” said Brian Klein, a attorney for Ms. Thompson. The law “doesn’t give a large amount of visibility to individuals on what could get you in hassle and what couldn’t get you in hassle,” Mr. Klein added.

The Justice Section has argued that Ms. Thompson experienced no fascination in supporting Money A single plug the holes in its security and that she can not be thought of a “white hat” hacker. As an alternative, she chatted with pals online about how she could be capable to earnings from the breach, in accordance to lawful filings.

“Even if her steps could be broadly characterised as ‘research,’ she did not act in excellent faith,” Nicholas W. Brown, the U.S. lawyer for the Western District of Washington, wrote in a lawful filing. “She was inspired each to make revenue and to obtain notoriety in the hacking neighborhood and beyond.”

Some safety researchers stated Ms. Thompson experienced ventured way too considerably into Capital One’s units to be thought of a white-hat hacker.

“Legitimate men and women will press a doorway open if it appears to be ajar,” said Chester Wisniewski, a principal study scientist at Sophos, a cybersecurity organization.

It is not uncommon for protection researchers to examination vulnerabilities they find, producing certain that they result in flaws that expose info, prior to reporting the complications to corporations so they can be fastened. But downloading 1000’s of data files and placing up a cryptocurrency mining procedure were being “intentionally malicious steps that do not happen in the study course of tests security,” Mr. Wisniewski mentioned.

Ms. Thompson grew up in Arkansas, where by she struggled to match in but excelled with desktops, in accordance to court docket documents. She dropped out of large college and built plans to shift to Seattle, where she would sooner or later be a part of a thriving local community of technologists and begin a gender changeover.

In 2005, prior to she turned 20, Ms. Thompson was currently doing work in a series of program development employment. In 2015, she secured a career at Amazon Internet Providers, the cloud computing wing of the online retail giant, and worked there for a minor over a year. But Ms. Thompson from time to time struggled with her psychological well being and at periods felt alienated from her peers in the tech market, who she concerned did not accept her transition, she wrote on social media and a personal blog.

Just as Amazon stores millions of actual physical items in a dizzying array of warehouses, Amazon Internet Products and services hosts wide amounts of data for other providers that hire place on its servers. Among the its buyers was Money A person.

In early 2019, various many years just after she stopped doing work for Amazon Net Companies, Ms. Thompson searched for its consumers who experienced not appropriately established up firewalls to guard their knowledge. “Thompson scanned tens of thousands and thousands of AWS prospects seeking for vulnerabilities,” Mr. Brown wrote in a lawful submitting. By March, she experienced uncovered a vulnerability that permitted her to download info from Capital A person, the prosecutor added.

In June 2019, Ms. Thompson despatched on the web messages to a lady and disclosed what she had located, authorized filings explained. Ms. Thompson additional she had thought of sharing the information with a scammer, and said she would publicly expose her involvement in the breach.

“I’ve essentially strapped myself with a bomb vest,” Ms. Thompson claimed in copies of the online chat that were being provided in court information, referring to her system to publicly release the info and expose herself.

The female recommended that Ms. Thompson switch herself in to the authorities, prosecutors mentioned. A thirty day period later on, the female contacted Cash 1 and advised the bank about the breach. Funds One particular informed law enforcement officials, and Ms. Thompson was arrested in late July 2019. If convicted, she could deal with additional than 30 a long time in jail.

“The snapshots submitted by the govt are an incomplete and inaccurate portrayal of a everyday living additional pretty explained as one of survival and resilience,” Mohammad Ali Hamoudi, a attorney symbolizing Ms. Thompson, and other users of her authorized workforce wrote in a submitting. Ms. Thompson had sought mental health and fitness therapy, they extra, demonstrating her take care of to confront her complications.

In 2020, Money 1 agreed to spend $80 million to settle promises from federal lender regulators that it lacked the security protocols essential to protect customers’ info. The settlement also required the lender to operate swiftly to make improvements to its safety. In December, Money A single agreed to spend $190 million to people today whose data experienced been exposed in the breach, settling a course-motion lawsuit.