Hacker Sentenced to Probation, No Prison Time, for Data Breach Affecting 100 Million People

Hacker Sentenced to Probation, No Prison Time, for Data Breach Affecting 100 Million People
People walk past a branch of the Capital One Bank in New York on April 17, 2019. (Johannes Eisele/AFP via Getty Images)
Naveen Athrappully
10/5/2022
Updated:
10/6/2022
0:00

A former tech worker from Seattle who was convicted of multiple charges related to the massive hack of Capital One bank and other firms back in 2019 has been sentenced to five years of probation after pleading mental illness.

Paige A. Thompson, 37, used a tool to scan Amazon Web Services (AWS) accounts to identify those which were misconfigured. Thompson then used these misconfigured accounts to hack into networks of over 30 entities and download data, obtaining the personal information of over 100 million people. The data breach forced Capital One to reach a tentative $190 million settlement with affected customers. Capital One was fined $80 million by the Treasury Department for failing to protect data.

Thompson also planted cryptocurrency mining software on the hacked servers, collecting the income generated from such mining. Arrested in July 2019, Thompson was found guilty by a federal jury in June 2022 following a seven-day trial.

On Tuesday, U.S. District Judge Robert S. Lasnik sentenced Thompson to time served plus five years of probation, including location and computer monitoring.

During the sentencing, Lasnik noted that time in prison would be “particularly difficult” for Thompson due to being a biologically male transgender and having mental health issues.

U.S. Attorney Nick Brown said that he was “disappointed” with the court’s decision and insisted that this is not what “justice looks like.”

“Ms. Thompson’s hacking and theft of information of 100 million people did more than $250 million in damage to companies and individuals. Her cybercrimes created anxiety for millions of people who are justifiably concerned about their private information. This conduct deserves a more significant sanction,” Brown said.

Mental Issues

At the court, Thompson’s attorneys had argued that their client was suffering from mental health issues and that Thompson never intended to profit from the stolen data.

Thompson claimed that Thompson hacked multiple companies to spot any vulnerability in the systems of these firms and collect bounties—payments that are sometimes made to certain hackers who identify and correct vulnerabilities in networks.

The defense also argued that Thompson’s actions were legal since the breached systems continue to perform as expected.

However, prosecutors requested a seven-year prison sentence for Thompson, insisting that Thompson’s crimes were “fully intentional and grounded in spite, revenge, and willful disregard for the law.”

“She exhibited a smug sense of superiority and outright glee while committing these crimes,“ prosecutors wrote in the sentencing memo. ”Thompson was motivated to make money at other people’s expense, to prove she was smarter than the people she hacked, and to earn bragging rights in the hacking community.”

Lasnik scheduled a hearing on Dec. 1, 2022, to determine the amount of restitution Thompson must pay to the victims.