Renata Geraldo / The Seattle Times
The former Amazon engineer whose 2019 hack compromised 100 million credit card users’ accounts won’t spend any additional time in jail.
Convicted in June on seven hacking-related charges, Seattle resident Paige Thompson was sentenced Tuesday to time served and five years of probation for violating an anti-hacking law known as the Computer Fraud and Abuse Act.
Thompson, 37, was responsible for one of the largest data breaches in U.S. history. She downloaded data from more than 100 million Capital One users, including 120,000 Social Security numbers and about 77,000 bank account numbers. U.S. Attorney Nick Brown said Thompson “did more than $250 million in damage to companies and individuals.”
Prosecutors argued successfully that Thompson used a software tool she built via Amazon Web Services to look for misconfigured accounts. She then used the accounts to hack and download the data of more than 30 entities, including Capital One. The bank’s internal system recognized Thompson’s queries as coming from a “friendly” computer, so it fulfilled her data requests.
Arrested in July 2019, Thompson remained jailed until November of that year.
In 2020, Capital One agreed to pay $80 million to settle federal bank regulators’ claims that it lacked security measures it needed to protect customers’ information. In December, the bank settled for $190 million a class-action lawsuit filed by customers whose data was exposed in the breach.
At the sentencing hearing, U.S. District Judge Robert Lasnik said time in prison would be particularly difficult for Thompson because of her well-documented mental health issues and because she is transgender.
Thompson had contended she was attempting to collect a bounty for spotting the vulnerability in the systems of the companies she hacked. Such payments are sometimes paid to “white hat” hackers, who try to identify and mend vulnerabilities in companies’ online defenses.
“She wanted data, she wanted money and she wanted to brag,” Assistant U.S. Attorney Andrew Friedman said in closing arguments.
In a letter advocating for Thompson, a friend wrote that “Paige saw a situation where the information on which the financial system depends for its security was left utterly unguarded by its custodians.”
The individual also wrote that while Thompson was wrong for not reporting it, “any random person with a computer could commit nearly limitless fraud.”
Other supporters wrote that Thompson struggled with substance abuse and dependence as a way to self-medicate for her mental health.
The defense said during the trial that her actions were legal because the breached companies’ systems performed as they were programmed.
A jury in Seattle convicted Thompson on counts of wire fraud, unauthorized access to a protected computer and damaging a protected computer following an eight-day trial. The hearing to determine the restitution amount Thompson must pay is scheduled for Dec. 1.