Paige Thompson, an ex-Amazon software engineer who stole the credit card applications, social security numbers, and bank account numbers of more than 100 million people from Capital One, costing the company at least $270 million, was sentenced to time served and just five years probation late Tuesday in a Washington court.
The 37-year-old Thompson, who also went by the online handle “Erratic,” was found guilty in June of wire fraud, unauthorized access to a computer and damaging a protected computer. The Seattle jury acquitted her of other charges including identity theft, according to the AP. Judge Robert Lasnick said prison would be especially difficult for Thompson “because of her mental health and transgender status.”
During the trial, Thompson’s attorneys argued that she never misused the personal information from the companies she hacked. The hacker’s lawyers further argued that Thompson was a white hat hacker who had been attempting to collect money from companies by pointing out vulnerabilities in their systems, according to The Seattle Times. A judge still has to decide restitution for victims of her hacks, which should be determined this December, according to the U.S. Attorney’s office. Capital One reached a settlement of $190 million with affected customers and was fined $80 million by the Treasury Department.
Prosecutors decried what they called a light sentencing, originally asking for Thompson to serve seven years. In a release, U.S. Attorney Nick Brown said prosecutors were “very disappointed with the court’s sentencing decision. This is not what justice looks like.” Prosecutors argued in court that Thompson did hundreds of millions of dollars in damage to both companies and individuals through hacks of not just Capital One, but 30 other companies, educational institutions, and more. Some of those other hacks involved personal data, but prosecutors stopped short of accusing Thompson of selling or sharing any of it.
Prosecutors also argued Thompson used a digital tool she built herself to comb through Amazon Web Services (AWS) and download companies’ user data. She also used the tool to plant parasitic crypto mining software on other companies computers that would send the proceeds to a crypto wallet under her control.
In 2019, Thompson was caught after bragging about the data breach on Twitter and other social media. She reportedly posted a message on a Slack channel saying: “I’ve basically strapped myself with a bomb vest, dropping capital ones dox and admitting it.” She also ran a hacking and cracking group on the social platform Meetup called “Seattle Warez Kiddies.”
For its part, Capital One has long dragged its feet on updating its lax cybersecurity methodologies. Reports from 2019 showed that even before the hack, some cybersecurity employees at Capital One were saying the company had failed to address firewall vulnerabilities. The company had also not installed the software it had already purchased that would help it detect breaches.
Gizmodo reached out to Capital One for comment on Thompson’s sentencing and what the company has done to bolster its cybersecurity capabilities but did not immediately hear back. Until last week, victims of the hack were still able to secure money from a settlement stemming from class action lawsuit that claimed the company was negligent in its cybersecurity methods.
In 2020, the U.S. Department of the Treasury’s Office of the Comptroller of Currency investigated Capital One and found that the bank ignored obvious problems with its cloud-based systems and their own internal audits routinely failed to recognize those faults. The OCC determined the bank had to pay a $80 million fine and appoint a committee to oversee the bank’s cybersecurity standards.