Last Friday, a federal jury in Seattle, Wash. returned a largely guilty verdict against 36-year-old Paige Thompson for multiple counts of Computer Fraud and Abuse Act (CFAA) violations in connection with the Capital One data breach, which exposed 100 million Americans’ personal information.
The criminal indictment dates to August 2019, when the federal government leveled multiple allegations at Thompson, a former Amazon employee, according to The New York Times. An article published last week by Kate Conger noted that Thompson was a software engineer and ran an online community for industry peers. In 2019, she downloaded personal information belonging to over 100 million Capital One customers and prospective customers, the article said.
According to the federal government, Thompson created proxy scanners that allowed her to identify Amazon Web Services (AWS) servers with misconfigured web application firewalls that permitted outside commands to reach and be executed by the servers. Then, she sent commands to the misconfigured servers to obtain security credentials for particular accounts or roles belonging to the victims, which included several intermediary companies and a state agency that rented or contracted computer servers from AWS.
In refusing to dismiss the CFAA counts of the indictment, Judge Robert A. Lasnik bought the government’s theory that, relying on tenets of trespass law, “the computer system disclosed the credentials by ‘mistake, not authorization,’ given defendant misrepresented herself as an authorized user.” Under Supreme Court precedent, the court found that the indictment adequately stated CFAA offenses.
During a five-day trial, and according to The New York Times, the jury heard arguments that Thompson used the same tools white hat hackers use to detect software vulnerabilities in order to report them for correction. The federal government argued otherwise, contending that Thompson never planned to tell Capital One about its flawed security, bragged to her friends online, and used her access to the credit card company’s servers to mine cryptocurrency.
The verdict was returned after 10 hours of deliberation, The New York Times noted. Though the jury found her not guilty of unlawful possession of unauthorized access devices and aggravated identity theft, the panel found otherwise for five counts of CFAA abuses, wire fraud, and illegally obtaining the information of a card issuer.
Notably, the verdict comes shortly after the Department of Justice announced that it would not prosecute those conducting good-faith cybersecurity research for CFAA violations.
Thompson is represented by the Federal Public Defender’s Office and Waymaker LLP. The federal government is represented by the United States Attorney’s Office.