Sentence For Capital One Hacker Slammed By US DoJ

An official with the US Department of Justice has hit out at a judge’s sentencing decision for a convicted hacker.

The hacker in question is a 37-year-old former Seattle tech worker called Paige A. Thompson (aka‘erratic’)., who hacked cloud buckets belonging to financial services company Capital One.

The hack is believed to be one of the largest in banking history and affected 100 million people in the US, and 6 million in Canada. Virginia-based Capital One said it became aware of the attack on 19 July 2019 and reported it to law enforcement.

Capital One

Stolen data including credit scores and balances, as well as the Social Security numbers of about 140,000 individual.

US federal authorities arrested Paige Thompson in July 2019, after she allegedly boasted of the exploit on the GitHub code hosting site.

The FBI raided Thompson’s residence and seized digital devices, with an initial search finding files that made references to Capital One and “other entities that may have been targets of attempted or actual network intrusions”.

Indeed, the US Department of Justice also alleged that Paige Thompson not only targeted Capital One, but she also allegedly took files from over 30 other organisations.

In August 2019 a Seattle judge ruled that Paige Thompson was a flight risk and a threat to herself and others and should not be moved to a halfway house, as her attorneys had requested.

Lawyers for Thompson, a transgender woman, had tried to have her moved out of custody and placed under GPS monitoring to give her better access to mental health care and to avoid exposing her to abuse in prison.

Thompson was held in the SeaTac Federal Detention Centre and had been placed in the male wing.

In August 2020 Capital One was fined $80 million for its lax security, and in June this year Thompson was convicted of wire fraud and unauthorised computer intrusions after a seven-day trial.

Transgender issue?

The sentencing hearing took place on Monday, and federal prosecutors made their concerns about the sentence public.

Thompson was sentenced in US District Court in Seattle to time served and 5 years of probation including location and computer monitoring for seven federal crimes connected to her scheme to hack into cloud computer data storage accounts and steal data and computer power for her own benefit.

At the sentencing hearing US District Judge Robert S. Lasnik said, time in prison would be particularly difficult for Thompson because of her mental health and transgender status.

But the US DoJ is not all happy about this sentencing.

“While we understand the mitigating factors, we are very disappointed with the court’s sentencing decision. This is not what justice looks like,” said US Attorney Nick Brown.

“Ms. Thompson’s hacking and theft of information of 100 million people did more than $250 million in damage to companies and individuals,” said Brown. “Her cybercrimes created anxiety for millions of people who are justifiably concerned about their private information. This conduct deserves a more significant sanction.”

US Attorney Nick Brown had asked the court to impose a seven-year sentence.

Prosecutors wrote in their sentencing memo, “…Thompson’s crimes … were fully intentional and grounded in spite, revenge, and willful disregard for the law. She exhibited a smug sense of superiority and outright glee while committing these crimes…. Thompson was motivated to make money at other people’s expense, to prove she was smarter than the people she hacked, and to earn bragging rights in the hacking community.”

Judge Lasnik scheduled a 1 December 2022, hearing to determine the amount of restitution Thompson must pay to her victims.