Seattle hacker gets probation for $250M Capital One data breach

A former Amazon employee based in Seattle has been sentenced for her role in a huge data breach that saw Capital One bank pay out more than $250 million to affected customers.

Paige Thompson, known online by her handle “erratic,” was convicted in June for the 2019 hack in which more than 100 million people in the US and Canada had their personal information stolen. On Tuesday, a US District Court in Seattle found Thompson guilty of seven counts of computer and wire fraud — punishable by up to 20 years in prison — but the software engineer received a sentence of time served plus five years of probation, to include computer monitoring.

According to a press release from the Department of Justice (DOJ), US District Judge Robert S. Lasnik said that time in prison would be particularly difficult for Thompson, as she is transgender and suffers from mental health issues. The DOJ is, apparently, unhappy with the outcome: in a statement on the case, US attorney Nick Brown said that the department understood the mitigating factors but was “very disappointed with the court’s sentencing decision.” Brown added, “This is not what justice looks like.”

Yet from the outset, the Capital One breach presented a complicated set of facts that is atypical of most large hacking and data theft incidents. Thompson did access and download a huge amount of data without authorization after using a custom software tool she built to scan for misconfigured Amazon Web Services accounts. (Thompson was reportedly employed by Amazon Web Services from 2015–2016.)

After gaining access, she leveraged the compromised accounts to download data from a number of organizations, including Capital One, and obtained vast troves of sensitive user information including Social Security numbers and bank account information. Thompson also reportedly planted cryptocurrency mining software onto some of the remote servers that she had gained access to and routed the proceeds into her own crypto accounts.

But unlike many other data breach cases, it seems that there is no evidence Thompson sought to enrich herself from the large volumes of personal information she stole. There are no allegations that she offered any of this data for sale or fraudulently used banking information to make purchases for herself. In fact, it seems that she uploaded some details of the exploit to a publicly viewable GitHub account: as CNBC reports, it was a tip about the GitHub data that led to her eventual arrest.

At trial, attorneys for the defense argued that Thompson never attempted to profit from the hack and did not release the data in a way that caused anyone’s identity information to be misused.

The Seattle Times reports that a friend of Thompson’s wrote a letter of support in the trial, arguing that the financial institutions bore responsibility for poor handling of sensitive data and that Thompson’s exploits had exposed the flaws in the system.

“Paige saw a situation where the information on which the financial system depends for its security was left utterly unguarded by its custodians,” part of the letter said.