Ninth Circuit Reverses Probation Sentence for Transgender Hacker
A short excerpt from the 9,000-word U.S. v. Thompson, decided yesterday by Ninth Circuit Judge Danielle J. Forrest, joined by Judge Johnnie B. Rawlinson:
Paige Thompson committed the second largest data breach in United States history at the time, causing tens of millions of dollars in damage and emotional and reputational harm to numerous individuals and entities. The district court correctly calculated Thompson’s sentencing range under the Federal Sentencing Guidelines (the Guidelines) to be 168 to 210 months of imprisonment. It then granted a roughly 98% downward variance to time served (approximately 100 days) and five years of probation. Because the district court made clearly erroneous findings and did not properly weigh the 18 U.S.C. § 3553(a) sentencing factors, we conclude that the sentence it imposed is substantively unreasonable, and we vacate and remand for resentencing….
Before the events at issue, Thompson worked as a Systems Engineer at Amazon Simple Storage Service (S3). S3 is “an object storage service” offered to businesses by Amazon Web Services (AWS). Over two years after her employment at Amazon ended, Thompson began hacking AWS customers’ accounts. She used a virtual private network service and The Onion Router network to anonymize her activity. Using a programming script, she scanned millions of publicly available IP addresses associated with AWS for vulnerabilities in their systems.
When Thompson found vulnerable accounts, she queried them for security credentials and saved those credentials on her computer. The credentials allowed Thompson to authenticate directly into AWS customers’ cloud-computing environments. Once inside, if the credentials permitted, Thompson ran a “sync” command to download data from customers’ cloud storage. In total, Thompson got credentials from at least 200 entities and stole data from at least 30 of them. For example, Thompson obtained Capital One’s security credentials and downloaded personally identifying information (PII) of 98 million Americans.
Thompson then compressed and stored the data stolen from AWS customers on her computer, and she researched additional storage options. While Thompson did not sell or distribute any stolen information, she did research ways to profit from the data, bragged about possessing it, and encouraged others to hack vulnerable accounts. She also blamed her breaches on the companies’ inadequate cybersecurity.
In addition to downloading private data, Thompson used AWS customers’ computing power to mine cryptocurrency—a cyberattack known as “cryptojacking.” Using the stolen security credentials, Thompson created new virtual servers in customers’ cloud environments. She deployed cryptocurrency miners inside the virtual servers and mined cryptocurrency into her own virtual wallet. Cryptomining is expensive because it requires significant computer power. AWS customers were billed for the electricity used by Thompson’s cryptojacking, while Thompson received the cryptocurrency payments. Thompson deleted the evidence of her cryptojacking from the companies’ computer logs. …
In June 20
Article from Reason.com
The Reason Magazine website is a go-to destination for libertarians seeking cogent analysis, investigative reporting, and thought-provoking commentary. Championing the principles of individual freedom, limited government, and free markets, the site offers a diverse range of articles, videos, and podcasts that challenge conventional wisdom and advocate for libertarian solutions. Whether you’re interested in politics, culture, or technology, Reason provides a unique lens that prioritizes liberty and rational discourse. It’s an essential resource for those who value critical thinking and nuanced debate in the pursuit of a freer society.
