A proud transgender and former Amazon software engineer hacked private credit card data on 100 million Americans in a massive data breach.
And now, nearly three years after the disclosure of one of the largest data breaches in the United States, the former Amazon employee accused of stealing customers’ personal information from Capital One is standing trial in a case that will test the power of American anti-hacking law.
The Justice Department said, Thompson worked as a software engineer in Seattle and ran an online community for other programmers. In 2019, she downloaded personal information belonging to more than 100 million Capital One customers.
Thanks to a cloud misconfiguration, Thompson was able to access credit applications, Social Security numbers, and bank account numbers in one of the biggest data breaches to ever hit a financial services company — putting it in the same league in terms of size as the Equifax incident of 2017.
100 Percent FedUp noted:
Accused of violating the Computer Fraud and Abuse Act, an anti-hacking law, they and their attorneys argue that Thompson’s actions were that of a “white hat hacker” (a benevolent hacker, sometimes employed by companies to find security weaknesses) who was proving for vulnerabilities for good reasons… despite downloading, stealing, over 100 million customers’ important personal data.
Some critics condemn the Computer Fraud and Abuse Act for its “loopholes” which allow for leniency for hackers who find vulnerabilities in a system, which is exactly what Thompson’s legal team is trying to exploit.
Prosecutors claim Thompson intended to use the stolen information to conduct identity theft. They also allege she took advantage of her access to corporate servers in a scheme to mine cryptocurrency.
More details of this report from the Daily Mail:
Thompson’s lawyers have argued her discovery of the “flaws” in Capital One’s data storage system was part of “good-faith research.”
They claim her hacking methods “reflected the same practices used by legitimate security researchers” and fall under the Computer Fraud and Abuse Act statute that protects those who find vulnerabilities in online systems.
“They are interpreting a statute so broadly that it captures conduct that is innocent and as a society we should be supporting, which is security researchers going out on the internet and trying to make it safer,” defense attorney Brian Klein said.
Thompson’s federal trial begins on Tuesday as they face 10 counts of computer fraud, wire fraud, and identity theft. Conviction would mean up to thirty years in prison.
In 2020, Capital One agreed to pay $80 million to settle claims from federal bank regulators that it lacked the security protocols needed to protect customers’ data. The settlement also required the bank to work quickly to improve its security.
In December, Capital One agreed to pay $190 million to people whose data had been exposed in the breach, settling a class-action lawsuit.