The former AWS engineer behind the Capital One hack was sentenced yesterday to time served and five years probation, including computer and location monitoring. The US Department of Justice said it believes the sentence issued to Paige Thompson is too lenient for the crime, which saw her steal 100 million customer records from Capital One’s cloud database in 2019. The attack cost the bank $270m in compensation and fines.
Thompson, whose online alias was “erratic”, was convicted of seven counts of wire fraud after uncovering Capital One’s misconfigured AWS storage buckets in 2019 and removing the data she found, in addition to other data heists.
She was also found guilty of five counts of unauthorised access to a protected computer and damaging an affected computer.
Capital One hack: Thompson sentence confuses DoJ
US Attorney Nick Brown expressed consternation at the verdict in a statement released by the DoJ, saying: “We are very disappointed with the court’s sentencing decision. This is not what justice looks like.”
In the sentencing hearing, District Judge Robert S Lasnik expressed sympathy for Thompson, explaining that time in prison would be particularly difficult for her due to her mental health and transgender status.
Reports from the hearing suggest that Judge Lasnik is aware of the danger that Thompson will commit further crimes outside of jail. “If that does happen,” he said, “I’ll admit my mistake. I believe in her and believe she will prove this is the right sentence.”
Asking the court to impose a seven-year sentence, the prosecution outlined how the former Seattle tech worker had built a tool to scan the web for misconfigured AWS accounts, hacking and downloading the data of more than 30 companies including Capital One.
In a sentencing memo, prosecutors wrote that “Thompson’s crimes were fully intentional and grounded in spite, revenge and wilful disregard for the law. She exhibited a smug sense of superiority and outright glee while committing these crimes.” Thompson, it goes on, “was motivated to make money at other people’s expense, to prove she was smarter that the people she hacked and to earn bragging rights in the hacking community”.
Friends of Thompson argue her actions had an altruistic element. In a letter to the court, a friend of the hacker wrote: “Paige saw a situation where the information on which the financial system depends for its security was left utterly unguarded by its custodians.” The letter goes on to say: “Any random person with a computer could commit nearly limitless fraud.”
Thompson will be expected to pay a restitution amount for her convictions. The hearing to determine how much that will be is scheduled for 1 December.
The breach prompted Capital One to reach a $190m settlement with affected customers. The bank was also fined $80m by the Treasury Department for failing to secure its customers’ data.