A former Amazon Web Services Inc. employee has been sentenced to time served and five years probation for stealing more than 100 million records belonging to Capital One Financial Corp. in 2019.
Paige A. Thompson, who worked for AWS as an engineer until 2016, was founded guilty of seven charges relating to the hack, including wire fraud, illegally accessing a protected computer and damaging a protected computer in June.
The arguably lax sentence – described by the U.S Department of Justice as “disappointing,” was handed down by a judge in Seattle. The judge in the case – Robert S. Lasnik, is said to have been moved by a statement from Thompson, who is both transgendered and suffers from mental health issues, which claimed that she hopes to make positive and meaningful contributions to society.
The judge even admitted that the sentence was surprising, taking a risk on Thompson being legitimate in her attrition.
Judge Lasnik, upon sentencing Paige Thompson to probation, said he’s putting his reputation on the line that will not commit any further crimes. “If that does happen, I’ll admit my mistake. I believe in her, and believe she will prove this is the right sentence.”
— Amy Miller (@Siliconlaw) October 4, 2022
In the case, prosecutors argued that Thompson, using the name “erratic” online, created a tool to search for misconfigured AWS accounts. This allowed her to access the accounts of more than 30 AWS customers, including Capital One and steal their data. Other companies and organizations accessed by Thompson included UniCredit S.p.A, Vodafone plc, Ford Motor Co., Michigan State University and the Ohio Department of Transportation.
In the Capital One case, Thompson stole data that consisted of credit card applications that included names, addresses, zip and postal codes, phone numbers, email addresses, dates of birth and self-reported income. The applications also included “portions of credit card customer data,” including credit scores, credit limits, balances, payment history, contact information and “fragments of transaction data.”
However, the theft of data alone was not Thompson’s only alleged crime. She was also alleged to have used her access to AWS servers to mine for cryptocurrency. “She wanted data, she wanted money and she wanted to brag,” Assistant U.S. Attorney Andrew Friedman said in the closing arguments of the trial.
“While we understand the mitigating factors, we are very disappointed with the court’s sentencing decision. This is not what justice looks like,” U.S. Attorney Nick Brown said in a statement. “Ms. Thompson’s hacking and theft of information of 100 million people did more than $250 million in damage to companies and individuals. Her cybercrimes created anxiety for millions of people who are justifiably concerned about their private information. This conduct deserves a more significant sanction.”
The sentencing came on the same day that former Uber Technologies Inc. Chief Security Officer Joe Sullivan was found guilty on charges that he covered up a security breach at Uber in 2016 that saw the theft of data relating to some 57 million Uber passengers and drivers.
Sullivan is facing up to five years in prison for covering up a hack he was not responsible for. By contrast, Thompson was actually responsible for the theft of nearly twice as many records from Capital One as the Uber hack and was actually behind the data theft versus covering it up and that’s not counting the other companies she stole data from.
While arguing for a seven-year sentence, Brown told the court that “she exhibited a smug sense of superiority and outright glee while committing these crimes…. Thompson was motivated to make money at other people’s expense, to prove she was smarter than the people she hacked, and to earn bragging rights in the hacking community.”
According to various polls, Seattle is ranked as the third most liberal city in the U.S. As crime increases, the slap on the wrist sentence is perhaps not that surprising. In the words of The Atlantic, when the speed of repercussions drops, society loses a key deterrent against unlawful behavior.