A Seattle woman who frequently used the online pseudonym “Erratic” has been arrested and federally charged with one of the largest computer data breaches in U.S. history. On Monday, July 29, 2019, it was announced that Paige Thompson had gained access to over 106 million Capital One customers' information including their names, addresses, Social Security numbers, and linked bank account numbers. But unlike other hackers, it doesn't appear that Thompson tried to sell the information she had gathered; she was just sitting on it and had bragged about it online to a website called GitHub.
But as the facts about the case become known, it seems to be quite a strange story. It appears that the data breach happened in phases during March and April, but Capital One wasn't made aware of the breach until someone alerted them on July 17, 2019, that the data had been posted on GitHub. Thompson had detailed her techniques on Twitter, and by posting the data to GitHub she obviously wasn't too worried about covering her tracks. It appears that while she knew of the danger of having this data, she wasn't aware of the scale of trouble she could be in.
Thompson, who used to work for Amazon Web Services, is currently unemployed and according to her roommates, “spent all of her time online.” It is interesting to note that Thompson was arrested and charged on the same day that the breach was made known to Capital One customers.
The way Thompson was able to get the information was because Capital One had misconfigured its Amazon server. Was Thompson just a security researcher that took her research too far, or was she maliciously intending to use the data or sell it to someone who would? It doesn't really matter why she took the data, but the fact that she did take it is still illegal. No one knows for sure just yet, but Capital One has fixed the flaw with their server and is reaching out to those customers whose data was exposed.
Washington Laws on Cybercrimes
Because of the breadth of the customers affected (U.S. and Canadian customers), Thompson was federally charged. But in Washington State, there are strict laws on cybercrimes. Computer trespassing in the first degree (RCW 9A:90.040) is defined as:
(1) A person is guilty of computer trespass in the first degree if the person, without authorization, intentionally gains access to a computer system or electronic database of another; and
(a) The access is made with the intent to commit another crime in violation of a state law not included in this chapter; or
(b) The violation involves a computer or database maintained by a government agency.
(2) Computer trespass in the first degree is a class C felony.
There is another twist to this story: as the FBI raided the rental house where Thompson lives, the FBI made an unrelated discovery. The man who owns the home had a cache of 20 firearms in the house, which was illegal since he has a previous felony conviction of firearms and was prohibited from owning any firearms. Park Quan was arrested alongside Thompson and now faces ten years in prison and a hefty ($250,000) fine.
Defense Attorney Steve Karimi
Perhaps you are a security researcher who got a little carried away with your work and you're now facing cybercrime charges in Washington. Steve Karimi is a former prosecutor who now defends those accused of serious crimes in Washington. Call his office today at 206-621-8777 or contact them online.