Nearly three years after the disclosure of one of the largest U.S. data breaches, the former Amazon employee accused of stealing customers’ personal information from Capital One is standing trial in a case that will test the power of federal anti-hacking law, the New York Times reports. Paige Thompson worked as a software engineer in Seattle and ran an online community for other programmers. She downloaded personal information belonging to more than 100 million Capital One customers in 2019, the Justice Department said. The data came from applications for credit cards. It included 140,000 Social Security numbers and 80,000 bank account numbers. She faces 10 counts of computer fraud, wire fraud and identity theft in a trial ongoing in Seattle.
Methods Thompson used to discover the information, and what she planned to do with it, will be closely scrutinized. Thompson, 36, is accused of violating the Computer Fraud and Abuse Act, which forbids access to a computer without authorization. Her lawyers say her actions — scanning for online vulnerabilities and exploring what they exposed — were those of a “novice white-hat hacker.” Critics of the computer fraud law have argued that it permits prosecutions of people who discover vulnerabilities in online systems or break digital agreements in benign ways, like using a pseudonym on a social media site that requires users to go by their real names. The Supreme Court narrowed the scope of the law last year, ruling that it could not be used to prosecute people with legitimate access to data who exploited their access improperly. In April, a federal appeals court ruled that automated data collection from websites, known as web scraping, did not violate the law. Last month, DOJ told prosecutors that they should no longer use the law to pursue hackers engaged in “good-faith security research.”