Fraud and Identification Theft Trial to Check American Anti-Hacking Regulation
Practically three years after the disclosure of one of many largest knowledge breaches in the US, the previous Amazon worker accused of stealing prospects’ private data from Capital One is standing trial in a case that may check the facility of American anti-hacking legislation.
Paige Thompson labored as a software program engineer in Seattle and ran a web based group for different programmers. In 2019, she downloaded private data belonging to greater than 100 million Capital One prospects, the Justice Division stated.
The information got here from purposes for bank cards, and included 140,000 Social Safety numbers and 80,000 checking account numbers. She faces 10 counts of laptop fraud, wire fraud and id theft in a federal trial that started on Tuesday in Seattle.
The strategies Ms. Thompson used to find the knowledge, and what she deliberate to do with it, shall be intently scrutinized within the case. Ms. Thompson, 36, is accused of violating an anti-hacking legislation often known as the Laptop Fraud and Abuse Act, which forbids entry to a pc with out authorization. Ms. Thompson has pleaded not responsible, and her attorneys say her actions — scanning for on-line vulnerabilities and exploring what they uncovered — have been these of a “novice white-hat hacker.”
Critics of the pc fraud legislation have argued that it’s too broad and permits for prosecutions in opposition to individuals who uncover vulnerabilities in on-line programs or break digital agreements in benign methods, like utilizing a pseudonym on a social media web site that requires customers to go by their actual names.
Lately, courts have begun to agree. The Supreme Courtroom narrowed the scope of the legislation final 12 months, ruling that it couldn’t be used to prosecute individuals who had official entry to knowledge however exploited their entry improperly. And in April, a federal appeals courtroom dominated that automated knowledge assortment from web sites, often known as net scraping, didn’t violate the legislation. Final month, the Justice Division instructed prosecutors that they need to not use the legislation to pursue hackers who engaged in “good-faith safety analysis.”
Ms. Thompson’s trial will elevate questions on how far safety researchers can go of their pursuit of cybersecurity flaws earlier than their actions break the legislation. Prosecutors stated Ms. Thompson had deliberate to make use of the knowledge she gathered for id theft, and had taken benefit of her entry to company servers in a scheme to mine cryptocurrency. However her attorneys have argued that Ms. Thompson’s discovery of flaws in Capital One’s knowledge storage system mirrored the identical practices utilized by official safety researchers and shouldn’t be thought of legal exercise.
“They’re deciphering a statute so broadly that it captures conduct that’s harmless and as a society we needs to be supporting, which is safety researchers going out on the web and making an attempt to make it safer,” stated Brian Klein, a lawyer for Ms. Thompson. The legislation “doesn’t give plenty of visibility to folks on what might get you in hassle and what couldn’t get you in hassle,” Mr. Klein added.
The Justice Division has argued that Ms. Thompson had little interest in serving to Capital One plug the holes in its safety and that she can’t be thought of a “white hat” hacker. As a substitute, she chatted with associates on-line about how she may have the ability to revenue from the breach, based on authorized filings.
“Even when her actions could possibly be broadly characterised as ‘analysis,’ she didn’t act in good religion,” Nicholas W. Brown, the U.S. lawyer for the Western District of Washington, wrote in a authorized submitting. “She was motivated each to earn cash and to achieve notoriety within the hacking group and past.”
Some safety researchers stated Ms. Thompson had ventured too far into Capital One’s programs to be thought of a white-hat hacker.
“Authentic folks will push a door open if it appears to be like ajar,” stated Chester Wisniewski, a principal analysis scientist at Sophos, a cybersecurity agency.
It’s not unusual for safety researchers to check vulnerabilities they uncover, ensuring that they lead to flaws that expose knowledge, earlier than reporting the issues to corporations to allow them to be fastened. However downloading 1000’s of recordsdata and establishing a cryptocurrency mining operation have been “deliberately malicious actions that don’t occur in the middle of testing safety,” Mr. Wisniewski stated.
Ms. Thompson grew up in Arkansas, the place she struggled to slot in however excelled with computer systems, based on courtroom data. She dropped out of highschool and made plans to maneuver to Seattle, the place she would ultimately be part of a thriving group of technologists and start a gender transition.
In 2005, earlier than she turned 20, Ms. Thompson was already working in a sequence of software program growth jobs. In 2015, she secured a job at Amazon Net Providers, the cloud computing wing of the web retail large, and labored there for a bit over a 12 months. However Ms. Thompson sometimes struggled together with her psychological well being and at instances felt alienated from her friends within the tech trade, who she apprehensive didn’t settle for her transition, she wrote on social media and a private weblog.
Simply as Amazon shops thousands and thousands of bodily items in a dizzying array of warehouses, Amazon Net Providers hosts huge quantities of knowledge for different corporations that hire area on its servers. Amongst its prospects was Capital One.
In early 2019, a number of years after she stopped working for Amazon Net Providers, Ms. Thompson looked for its prospects who had not correctly arrange firewalls to guard their knowledge. “Thompson scanned tens of thousands and thousands of AWS prospects on the lookout for vulnerabilities,” Mr. Brown wrote in a authorized submitting. By March, she had found a vulnerability that allowed her to obtain knowledge from Capital One, the prosecutor added.
In June 2019, Ms. Thompson despatched on-line messages to a lady and disclosed what she had discovered, authorized filings stated. Ms. Thompson added she had thought of sharing the information with a scammer, and stated she would publicly reveal her involvement within the breach.
“I’ve principally strapped myself with a bomb vest,” Ms. Thompson stated in copies of the web chat that have been included in courtroom data, referring to her plan to publicly launch the information and expose herself.
The lady recommended that Ms. Thompson flip herself in to the authorities, prosecutors stated. A month later, the lady contacted Capital One and instructed the financial institution in regards to the breach. Capital One knowledgeable legislation enforcement officers, and Ms. Thompson was arrested in late July 2019. If convicted, she might face greater than 30 years in jail.
“The snapshots submitted by the federal government are an incomplete and inaccurate portrayal of a life extra pretty described as one in all survival and resilience,” Mohammad Ali Hamoudi, a lawyer representing Ms. Thompson, and different members of her authorized staff wrote in a submitting. Ms. Thompson had sought psychological well being therapy, they added, demonstrating her resolve to confront her issues.
In 2020, Capital One agreed to pay $80 million to settle claims from federal financial institution regulators that it lacked the safety protocols wanted to guard prospects’ knowledge. The settlement additionally required the financial institution to work rapidly to enhance its safety. In December, Capital One agreed to pay $190 million to folks whose knowledge had been uncovered within the breach, settling a class-action lawsuit.
New haven News – Occasions