The former Amazon engineer whose 2019 hack compromised 100 million credit card users’ accounts won’t spend any additional time in jail.
Convicted in June on seven hacking-related charges, Seattle resident Paige Thompson was sentenced Tuesday to time served and five years of probation for violating an anti-hacking law known as the Computer Fraud and Abuse Act.
Thompson, 37, was responsible for one of the largest data breaches in U.S. history. She downloaded data from more than 100 million Capital One users, including 120,000 Social Security numbers and about 77,000 bank account numbers. U.S. Attorney Nick Brown said Thompson “did more than $250 million in damage to companies and individuals.”
Prosecutors argued successfully that Thompson used a software tool she built via Amazon Web Services to look for misconfigured accounts. She then used the accounts to hack and download the data of more than 30 entities, including Capital One. The bank’s internal system recognized Thompson’s queries as coming from a “friendly” computer, so it fulfilled her data requests.
Arrested in July 2019, Thompson remained jailed until November of that year.
In 2020, Capital One agreed to pay $80 million to settle federal bank regulators’ claims that it lacked security measures it needed to protect customers’ information. In December, the bank settled for $190 million a class-action lawsuit filed by customers whose data was exposed in the breach.
Thompson’s federal defender Mohammad Ali Hamoudi said in an email that the $250 million damage figure is a result of Capital One’s “failure to protect the public’s data” rather than Thompson’s actions.
At the sentencing hearing, U.S. District Judge Robert Lasnik said time in prison would be particularly difficult for Thompson because of her well-documented mental health issues and because she is transgender.
Thompson had contended she was attempting to collect a bounty for spotting the vulnerability in the systems of the companies she hacked. Such payments are sometimes paid to “white hat” hackers, who try to identify and mend vulnerabilities in companies’ online defenses.
The jury in her case “found that she did not intend to commit fraud with personal identifying information that was downloaded onto her computer,” Hamoudi said,
In closing arguments, Assistant U.S. Attorney Andrew Friedman said she “wanted data, she wanted money and she wanted to brag”
In a letter advocating for Thompson, a friend wrote that “Paige saw a situation where the information on which the financial system depends for its security was left utterly unguarded by its custodians.”
The individual also wrote that while Thompson was wrong for not reporting it, “any random person with a computer could commit nearly limitless fraud.”
Other supporters wrote that Thompson struggled with substance abuse and dependence as a way to self-medicate for her mental health.
Hamoudi said in the email that Thompson was “on pretrial supervision” for over three years and did not test positive for using controlled substances. He also said Thompson “was never diagnosed with a substance abuse disorder.”
The defense said during the trial that her actions were legal because the breached companies’ systems performed as they were programmed.
A jury in Seattle convicted Thompson on counts of wire fraud, unauthorized access to a protected computer and damaging a protected computer following an eight-day trial. The hearing to determine the restitution amount Thompson must pay is scheduled for Dec. 1.