Nearly three years after exposing one of the largest data breaches in the United States, the former Amazon employee accused of stealing personal information from Capital One customers is on trial in a case that undermines the strength of the US anti-hacking law. will test.
Paige Thompson worked as a software engineer in Seattle and had an online community for other programmers. In 2019, she downloaded personal information from more than 100 million Capital One customers, the Justice Department said.
The data came from credit card applications and includes 140,000 social security numbers and 80,000 bank account numbers. She faces 10 counts of computer fraud, wire fraud and identity theft in a federal lawsuit that began Tuesday in Seattle.
The methods Mrs. Thompson used to obtain the information, and what she intended to do with it, will be scrutinized in the case. Ms Thompson, 36, is accused of violating an anti-hacking law known as the Computer Fraud and Abuse Act, which prohibits unauthorized access to a computer. Ms. Thompson has pleaded not guilty, and her lawyers say her actions — scanning for online vulnerabilities and investigating what they uncovered — were those of a “beginner white-hat hacker.”
Critics of the computer fraud law have argued that it is too broad and allows prosecution against people who discover vulnerabilities in online systems or break digital agreements in benign ways, such as using a pseudonym on a social media site that requires users to provide their real names. .
In recent years, courts have begun to reach agreement. The Supreme Court last year limited the law’s scope, ruling that it cannot be used to prosecute people who had legitimate access to data but misused their access inappropriately. And in April, a federal appeals court ruled that automated data collection from websites, known as web scraping, does not violate the law. Last month, the Justice Department told prosecutors to stop using the law to prosecute hackers who engaged in “good faith security investigations.”
Ms. Thompson’s trial will raise questions about how far security researchers can go in their search for cybersecurity flaws before their actions break the law. Prosecutors said Ms. Thompson intended to use the information she collected for identity theft, and misused her access to company servers in a scheme to mine cryptocurrency. But her lawyers have argued that Ms. Thompson’s discovery of flaws in Capital One’s data storage system reflected the same practices used by legitimate security researchers and should not be considered criminal activity.
“They’re interpreting a statute so broadly that it enshrines behavior that is harmless and that we as a society should support, namely security researchers who take to the Internet and try to make it more secure,” said Brian Klein, a lawyer for Ms. M. Thompson. The law “doesn’t give people much insight into what could get you in trouble and what might not get you in trouble,” added Mr. Small to it.
The Justice Department has argued that Ms. Thompson had no interest in helping Capital One plug the security holes and that she cannot be considered a “white hat” hacker. Instead, she chatted with friends online about how she might profit from the breach, according to legal records.
“Even if her actions can be broadly characterized as ‘investigation,’ she has not acted in good faith,” Nicholas W. Brown, the US attorney for the Western District of Washington, wrote in a legal filing. “She was motivated both to make money and to gain exposure in the hacking community and beyond.”
Some security researchers said Ms. Thompson had ventured too far into Capital One’s systems to be considered a white-hat hacker.
“Legitimate people will push open a door when it appears to be ajar,” said Chester Wisniewski, principal investigator at Sophos, a cybersecurity firm.
It’s not uncommon for security researchers to test the vulnerabilities they discover to make sure they result in data-exposure vulnerabilities before reporting the issues to companies for remediation. But downloading thousands of files and setting up a cryptocurrency mining operation were “deliberately malicious actions that do not take place during security testing,” said Mr. Wisniewski.
Ms. Thompson grew up in Arkansas, where she struggled to fit in, according to court records, but excelled with computers. Dropping out of high school, she made plans to move to Seattle, where she would eventually join a thriving community of technologists and begin a gender transition.
In 2005, before turning 20, Ms. Thompson was already working in a range of software development jobs. In 2015, she got a job at Amazon Web Services, the cloud computing wing of the online retail giant, and worked there for a little over a year. But Ms. Thompson occasionally struggled with her mental health and at times felt alienated from her tech industry peers, who she feared might not accept her transition, she wrote on social media and a personal blog.
Just as Amazon stores millions of physical goods in a staggering number of warehouses, Amazon Web Services hosts massive amounts of data for other companies renting space on its servers. Among his clients was Capital One.
In early 2019, several years after she retired from working for Amazon Web Services, Ms. Thompson looked for her clients who had not set up firewalls to protect their data. “Thompson has scanned tens of millions of AWS customers looking for vulnerabilities,” Mr Brown wrote in a legal filing. In March, she had discovered a vulnerability that allowed her to download data from Capital One, the prosecutor added.
In June 2019, Ms. Thompson messaged a woman online, revealing what she had found, legal documents said. Ms Thompson added that she had considered sharing the data with a scammer and said she would publicly disclose her involvement in the breach.
“I actually strapped myself with a bomb vest,” Ms. Thompson said in copies of the online chat included in the court records, referring to her plan to release the data publicly and expose herself.
The woman suggested that Mrs. Thompson would turn himself in to authorities, prosecutors said. A month later, the woman contacted Capital One and told the bank about the breach. Capital One notified law enforcement and Ms. Thompson was arrested in late July 2019. If convicted, she could face more than 30 years in prison.
“The snapshots submitted by the government are an incomplete and inaccurate picture of a life more honestly described as a life of survival and resilience,” wrote Mohammad Ali Hamoudi, a lawyer representing Ms. Thompson, and other members of her legal team. team in a file. Ms. Thompson had sought psychological help, they added, demonstrating her determination to cope with her problems.
In 2020, Capital One agreed to pay $80 million to settle claims by federal banking regulators that it lacked the security protocols needed to protect customers’ data. The settlement also required the bank to act quickly to improve its security. In December, Capital One agreed to pay $190 million to people whose data had been exposed to the breach, settling a class action lawsuit.