US Anti-Hacking Law Tested in Trial Over 2019 Capitol One Data Breach

'Paige Thompson worked as a software engineer in Seattle and ran an online community for other programmers,' remembers the New York Times. [Alternate URL here and here.]

'In 2019, she downloaded personal information belonging to more than 100 million Capital One customers, the Justice Department said...' It included 140,000 Social Security numbers and 80,000 bank account numbers (drawn from applications for credit cards).
Nearly three years after the disclosure of one of the largest data breaches in the United States, the former Amazon employee accused of stealing customers' personal information from Capital One is standing trial in a case that will test the power of a U.S. anti-hacking law.... She faces 10 counts of computer fraud, wire fraud and identity theft in a federal trial that began Tuesday in Seattle.... Thompson, 36, is accused of violating an anti-hacking law known as the Computer Fraud and Abuse Act, which forbids access to a computer without authorization. Thompson has pleaded not guilty, and her lawyers say her actions — scanning for online vulnerabilities and exploring what they exposed — were those of a 'novice white-hat hacker.'

Critics of the computer fraud law have argued that it is too broad and allows for prosecutions against people who discover vulnerabilities in online systems or break digital agreements in benign ways, such as using a pseudonym on a social media site that requires users to go by their real names. In recent years, courts have begun to agree. The Supreme Court narrowed the scope of the law last year, ruling that it could not be used to prosecute people who had legitimate access to data but exploited their access improperly. And in April, a federal appeals court ruled that automated data collection from websites, known as web scraping, did not violate the law. Last month, the Justice Department told prosecutors that they should no longer use the law to pursue hackers who engaged in 'good-faith security research.'

Thompson's trial will raise questions about how far security researchers can go in their pursuit of cybersecurity flaws before their actions break the law. Prosecutors said Thompson had planned to use the information she gathered for identity theft and had taken advantage of her access to corporate servers in a scheme to mine cryptocurrency... The Justice Department has argued that Thompson had no interest in helping Capital One plug the holes in its security and that she cannot be considered a 'white hat' hacker. Instead, she chatted with friends online about how she might be able to profit from the breach, according to legal filings.... Some security researchers said Thompson had ventured too far into Capital One's systems to be considered a white-hat hacker.... 'Legitimate people will push a door open if it looks ajar,' said Chester Wisniewski, a principal research scientist at Sophos, a cybersecurity firm.... But downloading thousands of files and setting up a cryptocurrency mining operation were 'intentionally malicious actions that do not happen in the course of testing security,' Wisniewski said....

'Thompson scanned tens of millions of AWS customers looking for vulnerabilities,' Brown wrote in a legal filing.

The article notes that Capitol One ultimately agreed to pay $80 million in 2020 'to settle claims from federal bank regulators that it lacked the security protocols needed to protect customers' data' and another $190 million to settle a class-action lawsuit representing people whose data was exposed.

Read more of this story at Slashdot.