A former Amazon worker was found guilty of hacking Capital One.
The lawyers for Paige Thompson said that she was looking for cracks so that they could be fixed. The jury decided that she was guilty of wire fraud and hacking.
A former Amazon engineer was found guilty of wire fraud and hacking on Friday. He was accused of stealing customers’ personal information from Capital One in one of the biggest security breaches in U.S. history.
A jury in Seattle decided that Paige Thompson, who is 36 years old, broke the Computer Fraud and Abuse Act, which says that you can’t get into a computer without permission. The jury didn’t think she stole someone else’s identity or used a stolen access card.
Ms. Thompson used to work as a software engineer, and she also ran an online community for people in her field. In 2019, she downloaded personal information about more than 100 million Capital One customers. Her legal team said that she had used the same tools and methods as ethical hackers, who look for holes in software and tell companies about them so they can fix them.
But the Justice Department said that Ms. Thompson never planned to tell Capital One about the problems that gave her access to customer data, and that she had told her online friends about the holes she found and the information she downloaded. The Justice Department said that Ms. Thompson also used the servers of Capital One to mine cryptocurrency.
Andrew Friedman, an assistant U.S. attorney, said in closing arguments, “She wanted information, she wanted money, and she wanted to brag.”
The charges against Ms. Thompson under the Computer Fraud and Abuse Act made people in the tech industry pay attention to her case. Critics of the law say it is too broad and could be used to go after so-called “white hat” hackers. The Justice Department told prosecutors last month that they shouldn’t use the law to go after hackers who did “good-faith security research.”
The jury took 10 hours to decide that Ms. Thompson was guilty of wire fraud and five counts of getting unauthorized access to a protected computer and damaging a protected computer. On Sept. 15, she will get her sentence.
Ms. Thompson’s lawyer didn’t say anything about the verdict.
Capital One found out about the breach in July 2019 when a woman who had talked to Ms. Thompson about the information told them about the problem. The information was given to the Federal Bureau of Investigation by Capital One, and Ms. Thompson was arrested soon after.
Officials said that Capital One didn’t have the security measures it needed to keep customers’ information safe. To settle these claims, the bank agreed to pay $80 million in 2020. In December, it also agreed to pay $190 million to people whose personal information had been stolen.
In a statement, the U.S. attorney for the Western District of Washington, Nicholas W. Brown, said that Ms. Thompson used her hacking skills to steal the personal information of more than 100 million people and take over computer servers to mine cryptocurrency. “She wasn’t a good hacker who tried to help companies improve their computer security. Instead, she took advantage of mistakes to steal valuable data and make money for herself.”