back to article DoJ ‘very disappointed’ with probation sentence for Capital One hacker Paige Thompson

Convicted wire fraud perpetrator Paige Thompson (aka "erratic") has been sentenced to time served and five years of probation with location and computer monitoring, prompting U.S. Attorney Nick Brown to label the sanctions unsatisfactory. Thompson infamously raided cloud storage buckets operated by financial services company …

  1. Pete 2 Silver badge

    Whose fault is it?

    > millions of people who are justifiably concerned about their private information

    Is that the fault of the hacker, or the host company that cheaped out on bad security?

    Since the sanctions were probation and an $80m fine, respectively, it seems to me that the judge's message was clear - if somewhat naive the sentence he imposed was based, in part, on his belief Thompson will not commit further crimes.

    As it is, a fine of $80m for losing the data of 100million people sounds remarkably low. That places a value of only 80¢ on each person's "justifiable concern about their private information".

    Shall we see the company making good the $250million of damage done? Or was that an exaggeration for effect.

    1. veti Silver badge

      Re: Whose fault is it?

      Well, the company certainly has something to answer for, but it's still the fault of the hacker.

      If I leave my front door unlocked, that doesn't make it OK for you to come in and rob the place.

      1. Kevin McMurtrie Silver badge

        Re: Whose fault is it?

        The bank must, by law and by expectations, lock the door so your analogy is wrong. Everyone is guilty in this case but there's hardly any punishment.

        1. Halfmad

          Re: Whose fault is it?

          There's hardly any punishment as people don't take their business elsewhere publicly.

          A few will leave but not the droves the companies deserve.

          1. MachDiamond Silver badge

            Re: Whose fault is it?

            "There's hardly any punishment as people don't take their business elsewhere publicly."

            It won't get fixed if fines aren't severe for the recipient and jail time possible for the execs.

          2. Claptrap314 Silver badge

            Re: Whose fault is it?

            Where exactly would they go?

        2. This post has been deleted by its author

        3. Cav Bronze badge

          Re: Whose fault is it?

          The anaology is perfectly correct. The initial poster basically suggested that the hacker was not culpable. That is false and the anaology asserting the reason why, quite apt.

          Yes, the company is at fault too, but there is no rational argument for suggesting that the major fault does not lie with the hacker.

        4. John Brown (no body) Silver badge

          Re: Whose fault is it?

          "Everyone is guilty in this case but there's hardly any punishment."

          It seems to be on par with the Google settlement, although comparing the defendants incomes, Google got of way more lightly for a similar number of offences.

      2. imanidiot Silver badge

        Re: Whose fault is it?

        "If I leave my front door unlocked, that doesn't make it OK for you to come in and rob the place."

        It does mean that the charges would go from burglary (possibly with home invasion added) and theft to only theft with the associated drop in penalties.

        1. nobody who matters

          Re: Whose fault is it?

          It would only change from 'breaking and entering' (which is a criminal offence), to trespassing (which is merely a civil offence).

          If you steal something, it is legally classified as theft under either of the previous two circumstances.

          I think the analogy is therefore fair and reasonable. Leaving a door unlocked may be taken as OK to come in and look around, but still doesn't make it permissable to remove any of the contents.

          (This is how urbex groups get away with what they do - they find a way in without breaking in (eg. unlocked door, hole in a fence), but they do not take away with them anything which they find inside, and they take care to do no damage. Thus they are only guilty of the civil offence of trespass, for which they will not be taken to court.)

      3. Brian 3

        Re: Whose fault is it?

        Actually it does make it okay, legally speaking, in most countries.

        1. Cav Bronze badge

          Re: Whose fault is it?

          No, it doesn't. Not in the real world.

        2. doublelayer Silver badge

          Re: Whose fault is it?

          I strongly advise you not to test that idea you've had. I'd like you to learn that you're wrong, but you can learn that by reading it online rather than by spending time in jail for theft.

      4. Anonymous Coward
        Anonymous Coward

        Re: Whose fault is it?

        I actually have left the back door unlocked by accident my wife roasted me for it.

      5. MachDiamond Silver badge

        Re: Whose fault is it?

        "If I leave my front door unlocked, that doesn't make it OK for you to come in and rob the place."

        If you are storing things for other people and leave your front door unlocked it's your problem as well.

    2. JimC

      Re: Whose fault is it?

      Nice victim blaming. Something the IT industry is all too good at and needs to grow up about.

      1. Little Mouse

        Re: Whose fault is it?

        No victim blaming to see here. The victims of this debacle were the individuals whose data was compromised. And according to a court of law, Capital One absolutely were culpable in this.

        1. MachDiamond Silver badge

          Re: Whose fault is it?

          "No victim blaming to see here. The victims of this debacle were the individuals whose data was compromised. And according to a court of law, Capital One absolutely were culpable in this."

          Capital One is no small company. Why is it a good idea for them to outsource data storage (and processing I'd assume)?

          When I had a manufacturing company, anything we did all of the time wasn't a good candidate for outsourcing. It made no sense to offload things to another company, pay their profit margin along with the cost to do the work. If they could do it for less, we'd be doing something very wrong. What I suspected would be a lot of cutting corners and that wouldn't have fit with my quality goals.

    3. MachDiamond Silver badge

      Re: Whose fault is it?

      "That places a value of only 80¢ on each person's "justifiable concern about their private information"."

      It puts a price on a person's PII. What's the going commercial rate at 100mn inquiries? $.80 might be close.

  2. John69

    Disappointed with whom?

    The hacker does porridge, those responsible for security but put all that data in a "cloud bucket" (read a third party computer that was not properly secured) do not. Which is what justice looks like?

  3. RPF

    It's the fault of the hacker, no question.

    1. Jason Bloomberg Silver badge

      It takes two to tango and it doesn't have to be one or the other.

  4. Anonymous Coward
    Anonymous Coward

    The fact someone "promises" not to commit future crimes doesn't change the fact that they already committed a crime they should be properly punished for, especially in light of the millions of people affected by this yahoo.

    1. veti Silver badge

      Well, that kinda raises all sorts of philosophical questions. What is justice, and what, ultimately, is the point of it? How does it relate to courts and the penal system? What exactly is the judge's role, and who are we to second guess their decision?

      If you really want to get into that, this probably isn't the right forum for it.

      1. Cav Bronze badge

        One of the points of justice is deterrent. That only works if the gain is more than the pain that results from the illegal action. Poor punishment is poor deterrent.

        1. John Brown (no body) Silver badge

          "One of the points of justice is deterrent. That only works if the gain is more than the pain that results from the illegal action. Poor punishment is poor deterrent."

          Another point of the justice system is rehabilitation. Something the US justice system doesn't generally seem to be very strong on.

      2. doublelayer Silver badge

        Good questions. I'm going to take them out of order, though.

        "What exactly is the judge's role, and who are we to second guess their decision?"

        The judge's role is to look at the evidence and the law and assign an appropriate sentence, keeping in mind that the law may state sentencing requirements or recommendations that limit their power. We are not only worthy of second-guessing that decision, but it is meritorious for us to do so in our role as citizens. We don't get to countermand the decision, but if we think that the sentences are consistently unethical in either direction, it's a thing that we, through our democratic processes, can change by altering the aforementioned sentencing requirements in law.

        "What is justice, and what, ultimately, is the point of it? How does it relate to courts and the penal system?"

        That's the larger question, and I don't have a pithy answer to it. Part of it is ensuring that new crimes are not committed, by this defendant or by others. Inadequate penalties can produce bad results, but massive deterrents aren't perfect either. Some degree of equality in justice is important as well.

    2. Anonymous Coward
      Anonymous Coward

      But now there's the "get out of jail" card - mental status, gender status, etc. - we all should be equal before the law - but when committing crimes someone immediately starts to assert they are "different" and should not bear the consequences of their deliberate actions.

      Your "equal" or not "equal" - unless you're a Schrödinger's cat you can't be both.

      1. nobody who matters

        ".....Your "equal" or not "equal"........"

        All people are equal, but some people are more equal than others ;)

        (Oh, and just to be pedantic, it should be you're ;))

      2. Anonymous Coward
        Anonymous Coward

        If you think mental illness is a get out of jail free card, I can only assume you have neither lived with a serious mental illness or been close to someone who has had one. Free, it is not. Grow up.

        1. John Brown (no body) Silver badge

          You do know that he's referring to convicted criminals using mental health issues as a mitigating feature, even when it isn't don't you?

          See, for example, Ernest Saunders, the only person in medical history to make a full recover from Alzheimers.

      3. Cav Bronze badge

        A stupid comment. Some mental conditions absolutely absolve someone of guilt and render some forms of punishment inappropriate. The point of justice is punishment, deterrence and rehabilitation. If a mental health condition would result in someone suffering severe mental consequences that the average person would not then that punishment is not, in fact, equal. Your argument is exactly the opposite of equality.

        And, if someone is transgendered they will absolutely suffer different consequences in prison compared to the average person. Can you imagine how they would be treated by other inmates?

        1. nobody who matters

          "......Some mental conditions absolutely absolve someone of guilt....."

          Now you are making the stupid comment - whilst some mental conditions may be a reason or explanation as to why somebody has done something, and may well make it inapppropriate or undesirable to mete out a formal punishment; they are still guilty of committing the act, and nothing will absolve them from that or cancel it out.

          In this case, the accused has already been held in prison for 3 years, so your last paragraph is lagging behind the events a bit, and that period (and any abuse recieved during that time) will have been a part of the mitigation against further incarceration.

          1. Anonymous Coward
            Anonymous Coward

            The UK justice system (at least) disagrees with you, which is why there’s a verdict of “not guilty by reason of insanity”. The hint’s in the first two words, if you’re still struggling.

            Also, you may want to read up on the concept of mens rea, which is fundamental to most crimes.

    3. EnviableOne

      go directly to jail ..

      She's been in jail since Jul 2019 and has release conditions on probation for 5 yrs, which will get her sharp back there, she has been punished, more so than anyone not causing death would be under the UK Computer misuse act.

      she has taken an oath to be a productive member of society, and if at any point in the next 5yrs she isn't, its back behind bars

  5. Pascal Monett Silver badge

    "the sentence he imposed was based, in part, on his belief Thompson will not commit further crimes"

    So, a judge with a touch of naiveté.

    How touching.

    1. Anonymous Coward
      Anonymous Coward

      Re: "the sentence he imposed ..."

      Not naive, if it is a judge appointed by Mr T.

      He is preparing the jurisprudence for another judge that will be then able to decide to let Mr T. go free if he promises not to do it again...

      Even if everybody knows that for Mr T. promises are just meaningless statements.

  6. Paul Hovnanian Silver badge

    This is not what justice looks like

    We're really not sure exactly what this looks like.

  7. MachDiamond Silver badge

    Having bits removed or tacked on should make no difference in a prison sentence. The judge needs a tall glass of commonsense and a whooping to learn 'um that bad people must be punished, not coddled.

  8. JumpinJack

    Security Vendors Love Them Their Hackers

    I read these indignant comments about the bank being lax and the hacker being at fault and this argument ensues and this idea the fine is too low and the people what had their information nicked are only worth 80 cents each and, shut it!!!! Cap One had oodles and scads of infosec crap platform protections in play and this entity called Paige wandered in and made off with all them goods. Bet on this: the information security vendors what had their wares installed and whatnot in the Cap One data tank went to the soon to be sacked CIO and minions and declared "BUY MORE OF OUR FLAWED CRAP BECAUSE YOU DIDN'T HAVE ENOUGH OF OUR FLAWED CRAP RUNNING IN YOUR SWISS CHEESE ENVIRONMENT SO YOU WAS ROBBED!" So Cap One did buy more of what was hacked by Paige. And the Cap One brass was all like the Girl With The Faraway Eyes, sitting in the corner looking a little bleary, cheque books at the ready. Like Mick sings - When you are down on your luck and you can't harmonize, buy another firewall for the girl with the faraway eyes.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like