Accused Capital One Hacker Stands Trial for Fraud and Identity Theft

Nearly three years after the revelation of one of the biggest data breaches in the United States, a former Amazon employee accused of stealing customers’ personal information from Capital One is on trial in a case that will test the power of American anti-hacking law.

Page Thompson worked as a software engineer in Seattle and ran an online community for other programmers. In 2019, she downloaded the personal information of more than 100 million Capital One customers, the Justice Department said.

The data came from credit card applications and included 140,000 social security numbers and 80,000 bank account numbers. She faced 10 counts of computer fraud, wire fraud and identity theft in a federal trial that began Tuesday in Seattle.

The methods used to find Thompson’s information, and what she plans to do with it, will be closely investigated in this case. Ms. Thompson, 36, is accused of violating the anti-hacking law known as the Computer Fraud and Abuse Act, which prohibits access to computers without authorization. Ms. Thompson has pleaded not guilty, and her lawyers say her actions – scanning for online vulnerabilities and finding out what they exposed – were that of a “novice white-hat hacker.”

Deposit …Stacey Bronstein

Critics of the Computer Fraud Act have argued that it is too broad and allows action to be taken against those who find vulnerabilities in the online system or mildly break digital contracts, such as using a nickname on a social media site that allows users to deviate from their reality. It is necessary to move forward. Names

In recent years, the courts have begun to agree. The Supreme Court narrowed the scope of the law last year, ruling that it could not be used to prosecute people with legitimate access to data but improperly exploited their access. And in April, the Federal Court of Appeals ruled that automatic data collection from websites known as web scraping does not violate the law. Last month, the Justice Department told prosecutors that they should not use the law to promote hackers engaged in “goodwill security research.”

Ms. Thompson’s trial will raise questions about how far security researchers can go in pursuing their cyber security vulnerabilities before their actions violate the law. The plaintiffs said that Ms. Thompson planned to use the information she collected for identity theft, and took advantage of her access to corporate servers in a plan to mine cryptocurrency. But her lawyers have argued that Ms. The discovery of flaws in Thompson’s Capital One data storage system reflects the same methods used by legitimate security researchers and should not be considered criminal activity.

“They’re interpreting the law so broadly that it catches innocent behavior and as a society we should support that security researchers are trying to make it safer by going to the Internet,” Brian Klein said. Thompson. The law “does not give people much visibility into what can get you in trouble and what can’t get you in trouble,” Mr. Klein added.

The Justice Department has argued that Ms. Thompson had no interest in helping Capital One plug holes in his security and could not be considered a “white hat” hacker. Instead, she chatted with friends online about how she could profit from the breach, according to the legal filing.

“Even if her actions could be widely portrayed as ‘research’, she did not act in good faith,” said Nicholas W. Brown, the U.S. attorney for the Western District of Washington, wrote in the legal filing. “She was inspired both to make money and to gain notoriety in the hacking community and beyond.”

Some security researchers said Ms. Thompson went so far as to consider him a white-hat hacker in the Capital One system.

“If it seems vague, legitimate people will open the door,” said Chester Wisniewski, chief research scientist at cybersecurity firm Sophos.

It is not uncommon for security researchers to test vulnerabilities they detect, ensuring that they result in flaws that expose the data, before reporting the problems to companies, so that it can be corrected. But downloading thousands of files and setting up cryptocurrency mining operations was “intentional malicious actions that do not occur during security testing,” Mr. Wisniewski said.

Ms. Thompson grew up in Arkansas, where she struggled to get fit but excelled with computers, according to court records. She dropped out of high school and planned to move to Seattle, where she would eventually join the rich community of technologists and begin the gender transition.

In 2005, before she turned 20, Ms. Thompson was already working on a series of software development jobs. In 2015, she got a job at Amazon Web Services, the cloud computing wing of the online retail giant, and worked there for a little over a year. But Ms. Thompson occasionally struggled with her mental health and at times felt isolated from her peers in the tech industry, who worried she might not accept her transition, she wrote on social media and on a personal blog.

Just as Amazon stores millions of physical goods in an array of warehouses, Amazon Web Services hosts huge amounts of data for other companies that rent space on its servers. Its customers included Capital One.

In early 2019, several years after she stopped working for Amazon Web Services, Ms. Thompson searched for customers who did not set firewalls properly to protect their data. “Thompson scanned millions of AWS subscribers looking for vulnerabilities,” Mr. Brown wrote in the legal filing. By March, she had discovered a vulnerability that allowed her to download data from Capital One, the plaintiff added.

In June 2019, Ms. Thompson sent online messages to a woman and revealed what he received, according to the legal filing. Ms. Thompson added that she intended to share the data with the scammer, and said she would make her involvement in the breach public.

“I basically tied myself to the bomb waste,” Ms. Thompson stated in copies of online chats that are included in court records, referring to her plans to make the data public and to expose herself.

The woman suggested that Ms. Thompson turns himself in to the authorities, prosecutors said. A month later, the woman contacted Capital One and told the bank about the violation. Capital One reported to law enforcement officers, and Ms. Thompson was arrested in late July 2019. If convicted, she could face up to 30 years in prison.

Ms. Thompson and other members of his legal team wrote in the filing. Ms. Thompson sought mental health treatment, they added, showing her determination to tackle her problems.

In 2020, Capital One agreed to pay બેંક 80 million to settle federal bank regulators’ claims that it lacked the security protocols needed to secure customer data. The settlement also required the bank to act swiftly to improve its security. In December, Capital One agreed to pay $ 190 million to people whose data had been compromised, settling a class-action lawsuit.

Similar Posts

Leave a Reply

Your email address will not be published.