US Anti-Hacking Law Tested in Trial Over 2019 Capitol One Data Breach

"Paige Thompson worked as a software engineer in Seattle and ran an online community for other programmers," remembers the New York Times. [Alternate URL here and here.]

"In 2019, she downloaded personal information belonging to more than 100 million Capital One customers, the Justice Department said..." It included 140,000 Social Security numbers and 80,000 bank account numbers (drawn from applications for credit cards). Nearly three years after the disclosure of one of the largest data breaches in the United States, the former Amazon employee accused of stealing customers' personal information from Capital One is standing trial in a case that will test the power of a U.S. anti-hacking law.... She faces 10 counts of computer fraud, wire fraud and identity theft in a federal trial that began Tuesday in Seattle.... Thompson, 36, is accused of violating an anti-hacking law known as the Computer Fraud and Abuse Act, which forbids access to a computer without authorization. Thompson has pleaded not guilty, and her lawyers say her actions — scanning for online vulnerabilities and exploring what they exposed — were those of a "novice white-hat hacker."

Critics of the computer fraud law have argued that it is too broad and allows for prosecutions against people who discover vulnerabilities in online systems or break digital agreements in benign ways, such as using a pseudonym on a social media site that requires users to go by their real names. In recent years, courts have begun to agree. The Supreme Court narrowed the scope of the law last year, ruling that it could not be used to prosecute people who had legitimate access to data but exploited their access improperly. And in April, a federal appeals court ruled that automated data collection from websites, known as web scraping, did not violate the law. Last month, the Justice Department told prosecutors that they should no longer use the law to pursue hackers who engaged in "good-faith security research."

Thompson's trial will raise questions about how far security researchers can go in their pursuit of cybersecurity flaws before their actions break the law. Prosecutors said Thompson had planned to use the information she gathered for identity theft and had taken advantage of her access to corporate servers in a scheme to mine cryptocurrency... The Justice Department has argued that Thompson had no interest in helping Capital One plug the holes in its security and that she cannot be considered a "white hat" hacker. Instead, she chatted with friends online about how she might be able to profit from the breach, according to legal filings.... Some security researchers said Thompson had ventured too far into Capital One's systems to be considered a white-hat hacker.... "Legitimate people will push a door open if it looks ajar," said Chester Wisniewski, a principal research scientist at Sophos, a cybersecurity firm.... But downloading thousands of files and setting up a cryptocurrency mining operation were "intentionally malicious actions that do not happen in the course of testing security," Wisniewski said....

"Thompson scanned tens of millions of AWS customers looking for vulnerabilities," Brown wrote in a legal filing.
The article notes that Capitol One ultimately agreed to pay $80 million in 2020 "to settle claims from federal bank regulators that it lacked the security protocols needed to protect customers' data" and another $190 million to settle a class-action lawsuit representing people whose data was exposed.

Re:

[geekmux]

Neither law nor the "computer security" field have grown up yet.

For a while, we were getting somewhere. At least some public perception was starting to shift. I mean after all, "domestic terrorist" became the de facto standard to reach in the media, but to be fair they've been a bit busy accusing every political enemy from the President on down of that. Those boring hacker nobodys don't draw quite as much clicks and giggles.

"The article notes that Capitol One ultimately agreed to pay $80 million in 2020...and another $190 million to settle a class-action lawsuit representing people whose data was exposed."

You're also a hell of a target when you cause anyone that much financial pain.

Mission accomplished?

[misnohmer]

From the summary, it sounds like this did in fact result in improved security for millions of Chase customers, while the extracted data was never used in a malicious way. Using the "door ajar" analogy, someone saw a door ajar in a bank, walked it and took pictures of the wide open vault and its content, but didn't actually take anything or use the pictures for profit. Obviously the bank was made aware of this, and changed its policies to ensure the bank does not get left with door ajar and vault open.

Re:

[gacattac]

According to the police investigation, she discussed with friends how much she could make by selling the pictures to bank robbers, and stole small amounts of money from the bank.

Re:

[misnohmer]

Discussing how much one could make from something illegal with friends is probably not a crime. Stealing money from the bank, definitely a crime, the level will depend on the amounts.

Re:

[gacattac]

Discussing how much one could make from something illegal with friends is probably not a crime.

Absolutely. But if entering the door is a crime by law, except in cases of good intent, then the discussion would indicate that the intent wasn't good.

Re:

[misnohmer]

The problem is that it is not clear whether looking at publicly exposed data on a website for example is considered entering through the ajar door, or just taking a picture through the opening.

Re:

[gacattac]

That would only be a problem if the law differentiates between the two, not if the law makes both illegal.

Re:

[Registered Coward v2]

The problem is that it is not clear whether looking at publicly exposed data on a website for example is considered entering through the ajar door, or just taking a picture through the opening.

There's a difference between looking at it and walking in and copying a filing cabinet's collection of data. One could argue pushing the door and then telling the owner it is unsecured is a reasonable act; going in, exploring and taking stuff is not. Talking to other people about exploiting what she gained shows she may have had other motives than white hat hacker, had she actively engaged in discussions on doing so could be considered conspiracy. You don't have to commit the crime to be guilty of consp

Re:

[thomn8r]

Stealing money from the bank, definitely a crime, the level will depend on the amounts.

$100? Life in prison. $1,000,000? They'd probably give you a seat on the board.

Re:

[Ed Tice]

Stealing money and also using the bank's resources to setup crypto mining operations is so far beyond the scope of any legitimate activity that I hope she is handed a stiff sentence. I'm all for having some level of protection for those who non-intrusively find security flaws and report them. Especially since most of those cases are obvious things that pique curiosity because it seems so unlikely that what one is observing is true. (i.e. Account number in URL and the like)

On the other hand if I found tha

Re:

[Canberra1]

Alleged is the word, and talking about such is not the same. In the English court domain, we would say the bank had a lot of contributory negligence, and by the fines - we would assume extreme negligence.One presumes the data was publicly exposed, meaning any man or dog could have really done more than a minor browsing offence (who set it to public access?). The case should be dropped, and the resources used to amend sloppy legislation. Monetary theft is already covered by other laws. OTOH do juries award m

Re:

[lrichardson]

Rather than a stiff sentence, 'she' needs a stay in a mental health facility. At the time, her mental health was borderline at best, verging on a breakdown. Pretty sure a few years with all the stresses of incarceration and prosecutors going for the death sentence (/mild hyperbole) haven't helped any.

Re:

[Ed Tice]

Criminal justice systems need to balance punishment, deterrence, rehabilitation, and public safety. If proper mental health treatment can set somebody back on the path to a productive life, it seems like that should always be strongly favored.

Re:

[msauve]

>someone saw a door ajar in a bank, walked it and took pictures of the wide open vault and its content, but didn't actually take anything or use the pictures for profit.

And if they weren't authorized to be there, that would still be breaking and entering.

Re:

[markdavis]

>"And if they weren't authorized to be there, that would still be breaking and entering."

Yes, but trespass is a far lower crime than theft (or disclosure to others). One could easily argue that she was guilty of a crime, but WHAT crime matters at lot.

A better analogy is that she went into the safe, opened all the lock boxes, and recorded all the contents and who they belonged to and where they live, etc. Then took that information out of the bank, but never did anything else with the information. The

Re:

[drinkypoo]

someone saw a door ajar in a bank, walked it and took pictures of the wide open vault and its content, but didn't actually take anything or use the pictures for profit.

And if they weren't authorized to be there, that would still be breaking and entering.

Completely wrong. It would be trespassing, not breaking and entering. It would still be criminal trespass unless you were mentally incompetent and somehow didn't realize you were entering a bank. Breaking and entering requires bypass of a protection device, however trivial. If the door is closed, then it might be B&E. It would be more clear if there were a latch you had to open. Walking through an open door is conclusively not B&E.

With that said, if there is any authentication system whatsoever, and

Re:

[misnohmer]

What if the door is ajar and you don't enter through the ajar door, but simply take pictures through the open door? Going a bit further, what if you sneezed towards the door and the air movement caused the door to open even more, and then take pictures?

Re:

[drinkypoo]

What if the door is ajar and you don't enter through the ajar door, but simply take pictures through the open door?

Then it's really going to come down to intent. And if you tell your friends you're figuring out how to monetize your discovery that's going to strongly suggest that your intent is malicious.

Going a bit further, what if you sneezed towards the door and the air movement caused the door to open even more, and then take pictures?

Then it's going to come down to how good your lawyer is, and whether the prosecutor can convince a jury that you sneezed in that direction on purpose.

However, you're stretching the simile too thin to be of any value. "Took pictures" is not an accurate representation of what occurred (nor is theft, this is another thing,

Re:

[misnohmer]

Authentication you say? Is an IPv4 address the same as a 4 character password? You can guess it, or brute force scan for it. There are plenty of padlocks out there which have less combinations than even just IPv4 addresses, so is scanning IP addresses for open servers same as hacking a padlock? This is why comparing cyber crimes to physical world crimes can quickly become nonsense.

Re:

[drinkypoo]

This is why comparing cyber crimes to physical world crimes can quickly become nonsense.

You can't necessarily equate them, but they have to find a precedent somewhere. Hopefully they at least draw a reasonable parallel sometimes.

Re:

[msauve]

>Breaking and entering requires bypass of a protection device, however trivial.

Nope. It requires use of force, any force. If the door is ajar, and you push it open, that's "breaking." If you go in, that's "entering."

Really, Googletard, it's the very first hit [cornell.edu] if you search for "breaking and entering."

Re:

[JeffOwl]

Had the intrusion stopped after identifying which AWS customers had miscofigured firewalls, we would not be still talking about it years later. But it went beyond that. Extracting privileged credentials. Downloading personal information (and discussing how to make money from it). Setting up crypto miners. No, this was not a white hat exercise or someone just being curious.

Re:

[misnohmer]

Had the intrusion stopped as you say, nobody would be talking about it, and the security vulnerabilities would probably continue to be there. So we might still be talking about it, just in terms of a hack which happened later where some different hacker did monetize the breach.

Re: Mission accomplished?

[AnonymousNoel]

Hmmmm. Well, there is also the possibility that it was a "white hat or someone being curious", who then, having realised what they'd stumbled upon, retrospectively gave into temptation (or, at least, considered giving into it).

Not sure whether that makes a difference, from a legal perspective, but it feels like it might.

Ohh great!

[Opportunist]

Now do the hackers from Russia!

What do you mean, you can't? What is the law good for if I can simply circumvent it by not being here?

If you want to improve security, you might want to create laws that apply to those that you actually can get a hold of. Like, say, the companies that skip security because it cuts into their profits. But lemme guess, that's not the goal, is it? What we want is to discourage people here from exposing that our companies have crappy security because CEOs need new private jets.

Re:

[Ed Tice]

Nobody has perfect security. Not physical security not cyber security. Those who are negligent can and should be prosecuted for such. But the two are not mutually exclusive. No security system will work if there isn't the thread of criminal prosecution for those who try to breach it.

Re:

[Opportunist]

The key problem you're facing here is that the perpetrator is very likely not inside your jurisdiction. With physical security it's fairly easy, unless you are VERY close to a border to a country that has vastly different laws, such laws can be enforced in most cases. This is not the case when the bad neighborhood where the police can't go starts literally at your doorstep.

I can't say you can't pass such laws. What I say is that they mean jack. A law you cannot enforce in almost all cases is useless, stop w

Re:

[_xeno_]

If you want to improve security, you might want to create laws that apply to those that you actually can get a hold of. Like, say, the companies that skip security because it cuts into their profits.

It needs to be both. Sure, you're not going to be able to get hackers outside of your jurisdiction (especially if you decide to start a proxy war with the country they live in). But that doesn't mean that certain types of cracking shouldn't be illegal.

The crappy car analogy would be that car manufacturers aren't liable for defects that occur if the owner fails to maintain the car. If the engine seizes despite the owner regularly changing the oil, that's a manufacturing issue. If the owner on the other hand

No stealing

[nospam007]

"accused of stealing customers' personal information"

No, the people still own their personal information and Capital One has them too.

Re:

[nospam007]

"Personal information is more like a secret." ...that you give to every bank, every online shop, every airline, every...

People used to publish them in so-called 'phone-books'.

Well,

[Black Parrot]

It seems pretty clear that she owes Capital 1 $270,000,000.