Capital One Hacker Dodges Jail Time in Criminal Case

October 05, 2022 | 4 minutes read
Capital One Hacker Dodges Jail Time in Criminal Case

While hackers and cybercriminals that breach the security systems of a particular company rarely face criminal charges when they are apprehended, there have been certain instances where a person has been indicted for their alleged role in facilitating a data breach. With all this being said, Paige Thompson, a former Amazon engineer that was involved in a hack of American bank holding company Capital One’s security systems several years ago in 2019, was recently sentenced to “time served and five years of probation for violating an anti-hacking law known as the Computer Fraud and Abuse Act.” For context, the data breach that Thompson was alleged to have caused impacted as many as 100 million Capital One customers.

To this end, Thompson’s actions resulted in the financial information of said customers being disclosed to the general public, including account numbers, credit card numbers, postal and email addresses, and social security numbers, among other pertinent information. Subsequently, Capital One was forced to settle a series of class action lawsuits relating to customers that had their personal privacy compromised during the course of the breach that took place, as “U.S. Attorney Nick Brown said Thompson “did more than $250 million in damage to companies and individuals.” For these reasons, the breach that Capital One sustained in 2019 is estimated to be one of the largest to have ever occurred in the history of the nation.

Capital One’s 2019 data breach

To this last point, in addition to the breach that Capital One sustained in 2019, Paige Thompson had also reportedly hacked the security systems of as many as 30 other companies. To accomplish this, prosecutors have claimed that Thompson built a software tool in her capacity as an engineer employed by multinational technology company Amazon that was designed to identify misconfigured accounts belonging to employees that worked for major corporations such as Capital One. After Thompson was able to accurately identify a misconfigured account, she would then be able to access the internal system of a business under the guise of a legitimate employee, which then enabled her to expose the personal data of millions of consumers.

In response to her actions, Thompson was arrested for her role in hacking Capital One’s security systems in July 2019. Furthermore, Thompson’s attorney countered the accusations that were levied against her by claiming that her actions were intended to be taken as a “white hat” attack, otherwise known as an ethical hack of a security system under the premise of identifying security vulnerabilities that may be present within the software or hardware that a business employs on a daily basis. Likewise, many businesses will pay white hat hackers a bounty payment for their efforts, as these attacks can help the businesses in question avoid more substantial security breaches in the long run.

Capital One refuses to pay the bounty

However, when Capital One refused to pay Thompson the bounty her attorneys claim she was looking for, she reportedly chose to post “code related to the vulnerability online and copied personal information provided by 100 million people who had applied for Capital One credit cards, federal prosecutors allege.” Consequently, these millions of people were subjected to having their personal identities stolen via the dark web, as any criminals or bad actors could have accessed this code and in turn, accessed the social security numbers and financial account information of the customers that were affected by the breach.

Data breaches and privacy concerns

Despite the fact that data breaches have very much become commonplace in the 21st century, the case of Paige Thompson and Capital One truly highlights the lack of power that American consumers have over their personal information. For example, while many businesses may view white hack attacks as beneficial for their bottom line under certain circumstances, the manner in which a cybercriminal launches a cyberattack does not change the fact that innocent people will have their privacy infringed upon in the process. In this way, even though Thompson will still serve several years of probation for her role in Capital One’s 2019 cyberattack, the adverse consequences of the event will continue to impact those affected by the data breach she caused for years to come.

By and large, most hackers that are able to successfully breach the security systems of a business or organization are able to do so without being caught. Due to this fact, everyday working people have little avenue for recourse when it comes to being affected by a data breach, as there is little that can be done to recover personal information that has been disclosed to the general public once the act has been done. For these reasons, it is imperative that the U.S. federal government enact some modicum of comprehensive data privacy legislation in the near future, as American citizens deserve some level of protection as it relates to data breaches.

Related Reads

Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
FISA Section 702, Is The US Government Monitoring You?
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
The Gap You Won’t Want to Close: Air-Gapped Systems
June 05, 2023 | 6 minutes read
The Gap You Won’t Want to Close: Air-Gapped Systems

An air-gapped system is a computer, or network that is physically isolated from any external connections and networks which includes the Internet. It operates in total isolation with neither wired nor wireless connections to other devices.

Learn More »
Using Redaction for Privacy Maintenance as An Investigator
May 31, 2023 | 5 minutes read
Using Redaction for Privacy Maintenance as An Investigator

These oaths emphasize upholding the law, serving the public, and protecting the rights of individuals. One of these many rights is privacy. An investigator must adhere to the legal and ethical guidelines within the jurisdiction and perform their investigation within those specifically set boundaries.

Learn More »