Hacker Who Stole 100 Million People’s Data Gets 5 Years Probation

Paige Thompson, an ex-Amazon software program engineer who stole the bank card functions, social safety numbers, and checking account numbers of greater than 100 million individuals from Capital One, costing the corporate not less than $270 million, was sentenced to time served and simply 5 years probation late Tuesday in a Washington courtroom.

The 37-year-old Thompson, who additionally glided by the net deal with “Erratic,” was discovered responsible in June of wire fraud, unauthorized entry to a pc and damaging a protected laptop. The Seattle jury acquitted her of different costs together with id theft, in accordance with the AP. Judge Robert Lasnick mentioned jail can be particularly troublesome for Thompson “because of her mental health and transgender status.”

During the trial, Thompson’s attorneys argued that she by no means misused the non-public info from the businesses she hacked. The hacker’s attorneys additional argued that Thompson was a white hat hacker who had been making an attempt to gather cash from corporations by stating vulnerabilities of their methods, in accordance with The Seattle Times. A decide nonetheless has to resolve restitution for victims of her hacks, which must be decided this December, in accordance with the U.S. Attorney’s workplace. Capital One reached a settlement of $190 million with affected prospects and was fined $80 million by the Treasury Department.

Prosecutors decried what they known as a light-weight sentencing, initially asking for Thompson to serve seven years. In a release, U.S. Attorney Nick Brown mentioned prosecutors had been “very disappointed with the court’s sentencing decision. This is not what justice looks like.” Prosecutors argued in courtroom that Thompson did a whole lot of hundreds of thousands of {dollars} in injury to each corporations and people via hacks of not simply Capital One, however 30 different corporations, instructional establishments, and extra. Some of these different hacks concerned private information, however prosecutors stopped wanting accusing Thompson of promoting or sharing any of it.

Prosecutors additionally argued Thompson used a digital device she constructed herself to comb via Amazon Web Services (AWS) and obtain corporations’ person information. She additionally used the device to plant parasitic crypto mining software program on different corporations computer systems that will ship the proceeds to a crypto pockets underneath her management.

In 2019, Thompson was caught after bragging concerning the information breach on Twitter and different social media. She reportedly posted a message on a Slack channel saying: “I’ve basically strapped myself with a bomb vest, dropping capital ones dox and admitting it.” She additionally ran a hacking and cracking group on the social platform Meetup known as “Seattle Warez Kiddies.”

For its half, Capital One has lengthy dragged its toes on updating its lax cybersecurity methodologies. Reports from 2019 confirmed that even earlier than the hack, some cybersecurity staff at Capital One had been saying the corporate had didn’t tackle firewall vulnerabilities. The firm had additionally not put in the software program it had already bought that will assist it detect breaches.

Gizmodo reached out to Capital One for touch upon Thompson’s sentencing and what the corporate has finished to bolster its cybersecurity capabilities however didn’t instantly hear again. Until final week, victims of the hack had been still able to secure money from a settlement stemming from class motion lawsuit that claimed the corporate was negligent in its cybersecurity strategies.

In 2020, the U.S. Department of the Treasury’s Office of the Comptroller of Currency investigated Capital One and located that the financial institution ignored apparent issues with its cloud-based methods and their very own inner audits routinely failed to acknowledge these faults. The OCC decided the financial institution needed to pay a $80 million high-quality and appoint a committee to supervise the financial institution’s cybersecurity requirements.