Approximately three years after one of the largest data breaches in the United States was disclosed, a former Amazon employee accused of stealing a customer’s personal information from Capital One has filed a lawsuit testing the power of U.S. anti-hacking laws. Is being tried.
Paige Thompson worked as a software engineer in Seattle and ran an online community for other programmers. According to the Justice Department, in 2019 she downloaded personal information belonging to more than 100 million Capital One customers.
The data came from a credit card application and included 140,000 social security numbers and 80,000 bank account numbers. She faces 10 computer frauds, wire frauds, and personal information thefts in a federal trial that began in Seattle on Tuesday.
The method Thompson used to discover the information and what she planned to use it will be scrutinized in this case. Thompson, 36, has been accused of violating the Anti-Hacking Act, known as the Computer Fraud and Abuse Act, which prohibits unauthorized access to computers. Thompson has claimed her innocence, and her lawyer said her actions (scanning online vulnerabilities and investigating what they exposed) were “beginner white hat hackers.” I am saying.
Computer fraud critics claim it’s too widespread, making digital contracts harmless, including discovering vulnerabilities in online systems and using pseudonyms that require users to actually go on social media sites. A name that allows you to prosecute those who have broken in any way.
In recent years, courts have begun to agree. Last year, the Supreme Court ruled that it narrowed the scope of the law and could not be used to prosecute people who had legitimate access to data but improperly abused it. And in April, Federal Court of Appeals We have ruled that automatic data collection from websites known as web scraping does not violate the law. last month, Ministry of Justice The prosecution said the law should not be used to track hackers engaged in “sincere security research.”
Mr. Thompson’s trial will raise questions about how far security researchers can go to pursue cybersecurity flaws before their actions violate the law. The prosecution said it plans to use the information Thompson collected to steal personal information and used access to corporate servers in a cryptocurrency mining scheme. However, her lawyer said that Thompson’s discovery of a flaw in Capital One’s data storage system reflects the same practices used by legitimate security researchers and should not be considered a criminal offense. Insisted.
“They have a very broad interpretation of the law, so it’s a security researcher who is trying to capture innocent acts and go out on the Internet to make it safer as a society we should support,” Ms said. Brian Klein, a lawyer, said. Thompson. Klein added that the law “doesn’t give people much visibility into what could bother you and what couldn’t bother you.”
The Justice Department argued that Mr. Thompson wasn’t interested in helping Capital One close its security holes and she wasn’t considered a “white hat” hacker. Instead, she chatted with her friend online about how she could benefit from the breach, according to her legal documents.
“Even though her behavior was widely characterized as’research’, she did not act in good faith,” wrote Nicholas W. Brown, a US lawyer in the Western District of Washington, in a legal document. “She was motivated both to make her money and to get a bad reputation in the hacking community and beyond.”
Some security researchers said Thompson went too far into Capital One’s system and couldn’t be considered a white hat hacker.
Chester Wisnievsky, Principal Investigator at Sophos, a cybersecurity company, said:
It’s not uncommon for security researchers to test vulnerabilities they discover and make sure they have flaws that expose their data before they can report the issue to the enterprise and fix it. However, downloading thousands of files and setting up cryptocurrency mining operations is “a deliberate malicious action that does not occur during security testing,” Wisniewski said.
According to court records, Mr. Thompson grew up in Arkansas. In Arkansas, I had a hard time fitting it on my computer, but it was excellent. She dropped out of high school and made her plans to move to Seattle. In Seattle, she eventually joined an active community of technicians and began transsexuals.
In 2005, before she turned 20, Thompson was already engaged in a series of software development jobs. In 2015, she secured her job at Amazon Web Services, the cloud computing division of online retail giant, where she worked there for over a year. However, Thompson sometimes suffered from her mental health and felt alienated from high-tech peers who were sometimes worried that she would not accept her transition, she said on social media and her. I wrote in my personal blog.
Just as Amazon stores millions of physical items in dazzling warehouses, Amazon Web Services stores vast amounts of data for other companies renting space on their servers. Hosting. One of the customers was Capital One.
In early 2019, a few years after quitting work at Amazon Web Services, Thompson searched for customers who didn’t properly set up firewalls to protect their data. “Thompson has scanned tens of millions of AWS customers looking for vulnerabilities,” Brown wrote in a legal document. By March, her prosecutor added that she had discovered a vulnerability that allowed her to download data from Capital One.
In June 2019, Thompson sent an online message to the woman, disclosing what she found, legal documents said. Thompson added that he was considering sharing data with fraudsters and said he would publicly reveal her involvement in the breach.
“I was basically dressed in a bomb vest,” Thompson said in a copy of an online chat contained in court records, referring to her plans to publish data and reveal herself. Said.
The woman suggested that Mr. Thompson leave himself to the authorities, the prosecutor said. A month later, the woman contacted Capital One and she told the bank about the breach. Capital One notified law enforcement authorities and Mr. Thompson was arrested in late July 2019. If she is convicted, she may face imprisonment of 30 years or more.
“The snapshots submitted by the government are incomplete and inaccurate depictions of life that are more fairly described as one of survival and resilience,” said Mohammad Ali Hamdi, a lawyer representing Mr. Thompson. Other members of her legal team wrote in the filing. Mr. Thompson was seeking mental health treatment, they added, showing his determination to tackle her problems.
In 2020, Capital One agreed to pay $ 80 million to resolve a claim from federal banking regulators that it lacked the security protocols needed to protect its customers’ data. The settlement also called for banks to work swiftly to improve their security. In December, Capital One settled a class action proceeding, agreeing to pay $ 190 million to those whose data was disclosed for breach.
