A former Amazon engineer who was accused of stealing customers’ personal information from Capital One of the largest breaches in the United States was found guilty of wire fraud and hacking charges on Friday.
A Seattle jury found that Paige Thompson, 36, had violated an anti-hacking law known as the Computer Fraud and Abuse Act, which forbids access to a computer without authorization. The jury found her not guilty of theft and access device fraud.
Ms. Thompson has worked as a software engineer and ran an online community for other workers in her industry. In 2019, she downloaded personal information belonging to more than 100 million Capital One customers. Her legal team argued that she had used the same tools and methods as ethical hackers to hunt for software vulnerabilities and report them to companies so they could be fixed.
But the Justice Department said that Ms. Thompson never planned to warn Capital One of the problems that gave her access to customers’ data, and that she had bragged to her online friends about the vulnerabilities she uncovered and the information she downloaded. Ms. Thompson also used its access to Capital One’s servers to mine cryptocurrency, the Justice Department said.
“She wanted the data, she wanted the money, and she wanted the brag,” Andrew Friedman, an assistant US attorney, said in closing arguments.
Ms. Thompson’s case attracted attention from the tech industry because of the charges under the Computer Fraud and Abuse Act. Critics of the law have argued that it is too broad and allows for the prosecution of so-called white hat hackers. Last month, the Justice Department told prosecutors that they should no longer use law-abiding hackers who engaged in “good-faith security research.”
The jury deliberated for 10 hours before finding Ms. Thompson pleaded guilty to gaining five counts of unauthorized access to a protected computer and damaging a protected computer, in addition to the wire fraud charges. She is scheduled to be sentenced on Sept. 15.
A lawyer for Ms. Thompson declined to comment on the verdict.
Capital One discovered the breach in July 2019 after a woman who had spoken with Ms. Thompson reports the data about Capital One. Capital One passed the information to the Federal Bureau of Investigation, and Ms. Thompson was arrested soon after.
Regulators said Capital One lacks the security measures it needs to protect customers’ information. In 2020, the bank agreed to pay $ 80 million to settle those claims. In December, it also agreed to pay $ 190 million to people whose data had been exposed in the breach.
“Ms. Thompson used his hacking skills to steal personal information of more than 100 million people, and hijacked computer servers to mine cryptocurrency, “said Nicholas W. Brown, US attorney for the Western District of Washington, in a statement. “Far from being an ethical hacker trying to help companies with their computer security, they exploited mistakes to steal valuable data and sought to enrich themselves.”