Capital One Hacker Dodges Jail Time in Criminal Case
October 05, 2022 | 4 minutes read
While hackers and cybercriminals that breach the security systems of a particular company rarely face criminal charges when they are apprehended, there have been certain instances where a person has been indicted for their alleged role in facilitating a data breach. With all this being said, Paige Thompson, a former Amazon engineer that was involved in a hack of American bank holding company Capital One’s security systems several years ago in 2019, was recently sentenced to “time served and five years of probation for violating an anti-hacking law known as the Computer Fraud and Abuse Act.” For context, the data breach that Thompson was alleged to have caused impacted as many as 100 million Capital One customers.
To this end, Thompson’s actions resulted in the financial information of said customers being disclosed to the general public, including account numbers, credit card numbers, postal and email addresses, and social security numbers, among other pertinent information. Subsequently, Capital One was forced to settle a series of class action lawsuits relating to customers that had their personal privacy compromised during the course of the breach that took place, as “U.S. Attorney Nick Brown said Thompson “did more than $250 million in damage to companies and individuals.” For these reasons, the breach that Capital One sustained in 2019 is estimated to be one of the largest to have ever occurred in the history of the nation.
Capital One’s 2019 data breach
To this last point, in addition to the breach that Capital One sustained in 2019, Paige Thompson had also reportedly hacked the security systems of as many as 30 other companies. To accomplish this, prosecutors have claimed that Thompson built a software tool in her capacity as an engineer employed by multinational technology company Amazon that was designed to identify misconfigured accounts belonging to employees that worked for major corporations such as Capital One. After Thompson was able to accurately identify a misconfigured account, she would then be able to access the internal system of a business under the guise of a legitimate employee, which then enabled her to expose the personal data of millions of consumers.
In response to her actions, Thompson was arrested for her role in hacking Capital One’s security systems in July 2019. Furthermore, Thompson’s attorney countered the accusations that were levied against her by claiming that her actions were intended to be taken as a “white hat” attack, otherwise known as an ethical hack of a security system under the premise of identifying security vulnerabilities that may be present within the software or hardware that a business employs on a daily basis. Likewise, many businesses will pay white hat hackers a bounty payment for their efforts, as these attacks can help the businesses in question avoid more substantial security breaches in the long run.
Capital One refuses to pay the bounty
However, when Capital One refused to pay Thompson the bounty her attorneys claim she was looking for, she reportedly chose to post “code related to the vulnerability online and copied personal information provided by 100 million people who had applied for Capital One credit cards, federal prosecutors allege.” Consequently, these millions of people were subjected to having their personal identities stolen via the dark web, as any criminals or bad actors could have accessed this code and in turn, accessed the social security numbers and financial account information of the customers that were affected by the breach.
Data breaches and privacy concerns
Despite the fact that data breaches have very much become commonplace in the 21st century, the case of Paige Thompson and Capital One truly highlights the lack of power that American consumers have over their personal information. For example, while many businesses may view white hack attacks as beneficial for their bottom line under certain circumstances, the manner in which a cybercriminal launches a cyberattack does not change the fact that innocent people will have their privacy infringed upon in the process. In this way, even though Thompson will still serve several years of probation for her role in Capital One’s 2019 cyberattack, the adverse consequences of the event will continue to impact those affected by the data breach she caused for years to come.
By and large, most hackers that are able to successfully breach the security systems of a business or organization are able to do so without being caught. Due to this fact, everyday working people have little avenue for recourse when it comes to being affected by a data breach, as there is little that can be done to recover personal information that has been disclosed to the general public once the act has been done. For these reasons, it is imperative that the U.S. federal government enact some modicum of comprehensive data privacy legislation in the near future, as American citizens deserve some level of protection as it relates to data breaches.