Updated: 2 a few minutes ago Published: 2 a few minutes ago
SEATTLE — A former Amazon engineer was sentenced Friday on federal charges stemming from a 2019 hack that compromised the accounts of 100 million credit card users.
A jury assembled in Seattle found Paige Thompson guilty of seven counts related to computer and electronic fraud. The verdict, delivered Friday afternoon, came after eight days of testimony and one day of deliberations.
Thompson, 36, was responsible for one of the largest data breaches in US history, in which she downloaded the data of more than 100 million Capital One customers in 2019. The data included around 120,000 social security numbers and approximately 77,000 bank account numbers.
To get this data, Thompson, who worked as a systems engineer for Amazon Web Services but left years before the hack, searched for AWS customers with misconfigured firewalls. It then exploited those weaknesses to impersonate an authorized user, the government argued.
Since Capital One’s internal system then recognized Thompson’s requests as coming from a “friendly” computer, the system complied with his requests for data. Prosecutors argued that she also installed cryptocurrency mining software on the companies’ servers, essentially harnessing their computing power to mine currency for her benefit.
Thompson was found guilty of one count of wire fraud and six counts of computer fraud and abuse. She was acquitted of one count of access device fraud and one count of aggravated impersonation.
“We are delighted with the verdict,” said Nick Brown, U.S. attorney for the Western District of Washington. “I hope this is a good deterrent to others, like Ms. Thompson, who claim to be bona fide hackers, but are actually engaged in something far more dangerous.”
At the center of Thompson’s case were two different interpretations of the key phrase “unauthorized.” The US Computer Fraud and Abuse Act, which Thompson has been accused of violating, prohibits anyone from intentionally accessing a computer “without authorization” or “exceeding authorized access”.
In its closing arguments, the government pointed out that Thompson had no authorized access because she did not have explicit permission from Capital One or other breached companies to view and download their data.
The defense argued that Thompson’s actions were legal because the hacked companies’ systems worked as programmed, and anyone with access to a web browser could have taken the same action as Thompson.
In rebuttal, the government used the analogy of hiding a house key under a doormat. Someone might walk around the neighborhood looking under every doormat and find the key, but just because it fits in the lock doesn’t mean the intruder has “permission” to enter the house.
The government also used a sample of Thompson’s tweets, Slack posts, and chat room posts to claim she was a greed-driven hacker, rather than a noble “white hat hacker” trying to identify and correct vulnerabilities in companies’ online defenses.
Thompson’s attorney, Federal Public Defender Mohammad Hamoudi, pointed out in closing arguments Thursday that even though Thompson didn’t have an engineering or computer science degree, computers helped him connect to people and communities. apart from his unstable home life. This same cold, inhuman computer world could also make Thompson feel isolated and spur him to action.
He reminded the jury that Thompson’s friends had testified to his often frantic messages, sent from the “erratic” appropriate username, and asked the members not to give great importance to the few examples of government messages. .
Thompson remains free on bail pending sentencing later this year.