A former Amazon engineer accused of stealing personal information from Capital One customers in one of the largest breaches in the United States was found guilty Friday of wire fraud and hacking.
A Seattle jury found that Paige Thompson, 36, had violated an anti-hacking law known as the Computer Fraud and Abuse Act, which prohibits unauthorized access to a computer. The jury found her not guilty of identity theft and access device fraud.
Ms. Thompson had worked as a software engineer and had an online community for other employees in her industry. In 2019, she downloaded personal information from more than 100 million Capital One customers. Her legal team argued that she had used the same tools and methods as ethical hackers who look for vulnerabilities in software and report them to companies so they can be fixed.
But the Justice Department said Ms. Thompson had never intended to warn Capital One of the problems that gave her access to customer data, and that she had bragged to her online friends about the vulnerabilities she had discovered and the information she had downloaded. Ms. Thompson also used her access to Capital One’s servers to mine cryptocurrency, the Justice Department said.
“She wanted data, she wanted money and she wanted bragging rights,” said Andrew Friedman, an assistant attorney in the US.
Ms. Thompson’s case caught the attention of the tech industry over charges under the Computer Fraud and Abuse Act. Critics of the law have argued that it is too broad and allows the prosecution of so-called white hat hackers. Last month, the Justice Department told prosecutors to stop using the law to prosecute hackers who engaged in “good faith security investigations.”
The jury deliberated for 10 hours before being found guilty of five counts of gaining unauthorized access to a protected computer and damaging a protected computer, in addition to the wire transfer charge. She will be sentenced on September 15.
A lawyer for Ms Thompson declined to comment on the verdict.
Capital One discovered the breach in July 2019 after a woman who spoke to Ms. Thompson about the data reported the issue to Capital One. Capital One passed the information on to the Federal Bureau of Investigation, and Ms. Thompson was arrested shortly after.
Regulators said Capital One lacked the security measures it needed to protect customer information. In 2020, the bank agreed to pay $80 million to settle those claims. In December, it also agreed to pay $190 million to people whose data had been exposed to the breach.
“Mrs. Thompson used her hacking skills to steal the personal information of more than 100 million people and hijacked computer servers to mine cryptocurrencies,” Nicholas W. Brown, the US attorney for the Western District of Washington, said in a statement. Instead of being an ethical hacker trying to help companies with their computer security, she took advantage of mistakes to steal valuable data and try to enrich herself.”