Capital One cracker could be sent back to prison after judges rule she got off too lightly

Paige Thompson, the perpetrator of the Capital One data theft, may be sent back behind bars – after an appeals court ruled her sentence of time served plus five years of probation was too lenient.

Thompson, a former Amazon employee, was in 2022 convicted of stealing the financial information of more than 100 million Capital One credit card applicants and installing cryptomining software on the bank’s AWS-hosted servers. She pulled off the heist by writing a tool that scanned for poorly secured AWS S3 cloud storage buckets. These buckets had been misconfigured by their users to be left open to anyone who could locate them.

The techie found plenty of such buckets, and downloaded some of the content they contained. She then bragged about the score on GitHub, and shared some samples of the fetched data from the Microsoft-run site. Security professional Kat Valentine noticed the leaks, and tipped off Capital One that its security had been breached, leading to Thompson’s arrest and prosecution.

After a jury trial, Thompson was found guilty of wire fraud and five counts of unauthorized access to a protected computer and damaging a protected computer. She caused an estimated $40 million in damage, and Capital One was forced to pay an $80 million fine for poor data security and a further $190 million after customer lawsuits.

Thompson’s personal vulnerabilities do not outweigh all the other sentencing considerations

The Department of Justice was not happy about her sentence, given the heist was at the time the second largest case of data theft in the US. The Feds therefore sought stiffer punishment, and now they might get their wish.

On Wednesday, a trio of judges at the US Court of Appeals for the Ninth Circuit ruled 2-1 that Thompson’s sentence was too lenient and ordered a new sentencing hearing. They noted her sentence was based in part on the fact Thompson was both autistic and transgender, in that prison would be particularly challenging for her, and while that should have been taken into account, there were other factors to consider.

“We do not lightly conclude that a district court’s sentence is substantively unreasonable. But the court’s handling of the sentencing in this case is troubling and leaves us with ‘a definite and firm conviction that [it] committed a clear error of judgment in the conclusion it reached,'” Judge Danielle Forrest and Judge Johnnie Rawlinson wrote [PDF].

“Simply put, Thompson’s personal vulnerabilities do not outweigh all the other sentencing considerations or displace the district court’s obligation to select a sentence that serves the federal sentencing goals, including properly reflecting the seriousness of the offense, promoting respect for the law, imposing just punishment, deterring similar criminal conduct, and protecting the public against future criminal conduct of the defendant.”

The judges also noted that even after her arrest, Thompson continued to be active online and withdrew $40,000 in cryptocurrency she had mined using AWS servers she created using accounts she had no permission to access, and then lied about it.

Paige turner

Judge Jennifer Sung, however, disagreed. In her rebuttal statement, she said it was not for the Court of Appeals to change the district court’s ruling based on a rereading of the facts, and asserted that the lower court judge had been right to consider Thompson’s transgender status when making the original sentencing decision.

“The majority may be ‘certain’ that it ‘would have imposed a different sentence had [it] worn the district judge’s robe,’ but we may not ‘reverse on that basis,'” she wrote. “Because the District Court’s sentence was substantively reasonable under an abuse of discretion standard, I respectfully dissent.”

It’s now up to the district courts to reconsider the punishment. The crimes of which Thompson was convicted carry sentences of up to 20 years. ®

READ MORE HERE