IOTW: Capital One hacker given probation following cyber attack

Paige Thompson, a former Amazon software engineer known by the online handle ‘erratic’ was sentenced to time served and five years’ probation for seven federal crimes. Thompson’s location and personal computer will also be monitored. 

The sentencing was related to her hacks into a number of cloud accounts for both individuals and companies, including the bank Capital One. During the hacks, Thompson stole data and computer power. At the trial, she was found guilty of five counts of unauthorized access to a protected computer, damaging a protected computer and wire fraud.

US Attorney Nick Brown said in a release that he was “very disappointed” in the sentencing, commenting that “this is not what justice looks like”.

He continued, saying: “Her cybercrimes created anxiety for millions of people who are justifiably concerned about their private information. This conduct deserves a more significant sanction.”

At the sentence hearing, US District Judge Robert Lasnik said that jail time would be “particularly difficult” for Thompson as she is transgender and suffers from mental health issues.

A hearing was scheduled for December 1 of this year to determine how much Thompson must pay in restitution to her victims.

What happened in the Captial One hack?

On July 19, 2019, Capital One alerted the public that an “outside individual” had gained unauthorized access and obtained the personal information of a number of Capital One customers who had either applied for or had a Capital One credit card.

During the hack, around one million Social Insurance numbers, 140,000 Social Security numbers and 80,000 linked bank account details were accessed. Other information including names, addresses, zip codes, phone numbers, email addresses, dates of birth and self-reported income were accessed.

In a statement, Capital One said it had “immediately fixed the issue” and began working with law enforcement, with the individual responsible being captured by the FBI.

Overall, the data breach affected 106 million people and did US$250 million worth of damage.

Despite the government saying that it “believe[d] the data has been recovered and that there is no evidence the data was used for fraud or shared by this individual”, Capital One still faced a class action lawsuit. The lawsuit saw Capital One establish a settlement fund of US$190 million for those affected by the cyber-attack.

How was Thompson involved in the hack? 

Using a tool she built, Thompson would scan cloud-based storage system Amazon Web Services to detect misconfigured accounts. Once these accounts were found, Thompson would then hack into the accounts and download the data held in the account. Using this method, she was able to hack into and download the data of more than 30 entities, including the Capital One bank. Thompson also used her unauthorized access to plant crypto mining software into unknowing user’s accounts, with the income of said software going directly to her online wallet.  

Thompson was arrested in July 2019 following an alert to the FBI by financial company Capital One regarding her hacking and was found guilty in June 2022.

Thompson shared information about the hacks via SMS and posts on online forums. The posts and texts were then used as evidence against her in court.

Her crimes were described by the prosecution as “fully intentional and grounded in spite, revenge, and willful disregard for the law”, with Thompson herself described as “exhibit[ing] a smug sense of superiority and outright glee while committing these crimes…motivated to make money at other people’s expense, to prove she was smarter than the people she hacked and to earn bragging rights in the hacking community”.