Federal charges are arising from a 2019 hack that exposed the accounts of 100 million credit card users and led to the conviction of a former Amazon developer this Friday.
Paige Thompson was found guilty on seven counts of computer and wire fraud by a jury in Seattle. After eight days of testimony and one day of discussion, the decision was announced Friday afternoon.
Thompson, 36, was responsible for one of the greatest data breaches in US history in 2019 when she downloaded information from over 100 million Capital One users. The information contained around 120,000 Social Security numbers and approximately 77,000 bank account numbers.
Thompson, who worked as a systems engineer for Amazon Web Services but departed years before the attack, sought
clients with misconfigured firewalls to obtain that information. The authorities said that she subsequently took advantage of such flaws to mimic an authorized user.Thompson’s data requests were completed because Capital One’s internal system identified her inquiries as coming from a “friendly” machine. Prosecutors claimed she allegedly installed cryptocurrency mining software on the computers of the firms, thus stealing their computing power to generate cash for her personal advantage.
Furthermore, Thompson was found guilty of wire fraud and six counts of computer fraud and abuse. She was found not guilty of access device fraud and aggravated identity theft.
Nick Brown, who serves the role of U.S. attorney for the Western District of Washington, had the following to say:
We’re thrilled with the verdict. Hopefully, it’s good deterrence for other people, like Ms. Thompson, who purport to be good-faith hackers, but who are in fact engaged in something far more dangerous.
“The hacker, Paige A. Thompson, a former systems engineer at Amazon Web Services, used a self-made tool to detect misconfigured AWS accounts and then use those accounts to hack into the systems of more than 30 organizations, including Capital One”https://t.co/V4EGK7lf04
— Abhinav Agarwal (@AbhinavAgarwal) June 19, 2022
Two opposing interpretations of the important word “without authority” were at the heart of Thompson’s case. Thompson was charged with breaching the United States Computer Fraud and Abuse Act, which makes it unlawful to knowingly access a computer “without authorization” or “exceeding allowed access.”
The prosecution highlighted in its closing arguments that Thompson did not have authorized access since she did not have specific authorization from Capital One or other compromised firms to examine and download their data.
The defense argued that Thompson’s activities were legitimate since the infiltrated organizations’ systems worked as expected, and anybody with access to a web browser could have done the same.
The administration used the analogy of concealing a home key beneath a door mat as a response. Someone may stroll around the neighborhood looking under every doormat for the key, but just because the key fits the lock doesn’t indicate the intruder has “permission” to enter the property.
The government also cited a sample of Thompson’s tweets, Slack conversations, and discussion board posts to show that she was a calculating hacker driven by money rather than a heroic “white-hat hacker” attempting to uncover and patch weaknesses in the firm’s online defenses.
Thompson’s counsel, federal public defender Mohammad Hamoudi, highlighted in closing arguments Thursday that, despite the fact that Thompson did not have a degree in engineering or computer science, computers allowed her to connect to people and places outside of her troubled home life. Thompson may feel lonely in the cold and impersonal world of computers, prompting her to act out.
He reminded the jury that Thompson’s pals testified about her frequently frantic communications, sent from the apt username “erratic,” and urged the members not to place too much weight on the government’s handful of example messages.
Thompson is still out on bail until her sentence later this year.