Capital One Hack Prosecution Raises New and Old Questions about Adequacy of CFAA
Timothy H. Gray, Ethan Kisch and Michael F. Buchanan of Patterson Belknap write:
On August 28, 2019, almost a month after Paige A. Thompson was arrested based on allegations that she hacked into servers rented by Capital One Financial Corporation, a criminal indictment was returned charging her with one count each of computer and wire fraud, as well as forfeiture allegations. The indictment includes new allegations that, in addition to hacking Capital One’s data, Thompson illegally accessed and copied data from more than 30 different entities that rented or contracted servers at an unnamed cloud-computing company at which she previously worked. The indictment provides additional details concerning Thompson’s hacking scheme. According to the indictment, Thompson used devices that allowed her to scan servers rented or contracted by Capital One and other entities at the cloud-computing company. From the scans, Thompson was able to identify servers that had firewall misconfigurations, which she then exploited to obtain security credentials that allowed her to access and copy the entities’ data. In addition to copying the data, Thompson also used the stolen computing power of the servers to mine cryptocurrency—in a scheme colloquially known as “cryptojacking.”
Read more on Data Security Law Blog.