Capital One Bank branch. Capital One Bank branch. Photo: Shutterstock

On Aug. 28, the U.S. Attorney's Office for the Western District of Washington announced a grand jury indictment of alleged Capital One hacker Paige Thompson. While prosecuting and landing a conviction for data breach crimes is uncommon, the U.S. Attorney's office has already cleared a significant hurdle: getting the defendant into custody—a feat rarely accomplished in data breach cases, former federal prosecutors said.

In late July, Thompson was arrested for accessing Capital One's online data through a misconfiguration on the bank's third-party cloud computing service, which reports claim is Amazon Web Services (AWS). 

Thompson is accused of retrieving and copying Capital One data that included personally identifiable information (PII) from roughly 100 million people who applied for a Capital One credit card. The U.S. attorney for the Western District of Washington also alleges Thompson had unauthorized access to the data of an unnamed state agency, a telecommunications conglomerate and a public research university.

Lawyers said that Thompson's case is uncommon because the alleged culprits of cybercrimes usually aren't in the U.S.' jurisdiction.

Take for instance the high-profile ransomware attack that crippled Atlanta's municipalities and other local governments and businesses last year. Although two Iranian men were indicted by a federal jury over the attack, neither have been extradited to the U.S. to face their charges.

Peter Toren, a solo practitioner and former federal prosecutor in the U.S. Department of Justice's Computer Crime and Intellectual Property Section (CCIPS), noted the Atlanta case is an example of a common roadblock most prosecutors face.

"Even if they are able to determine who the alleged perpetrator is, like the Iranians in that case, it's almost impossible to bring them to the United States, especially because a lot of these [hackers] come from Iran and Russia and they are well beyond the reach of the United States," Toren said.

In turn, law enforcement may have to wait for the alleged hacker to land in a country with an extradition treaty with the U.S.

"Unless they happen to have them arrested or they are traveling to a more friendly country [that] may turn them over to the United States," Toren said. "That's why I think cases like this, when the defendant is in the United States, is rare."

After clearing the hurdle of having the defendant in custody, prosecutors must meet the tall order of proving the defendant committed the crime. Toren said computer and wire fraud cases are generally difficult to prosecute because of the audit trail needed to connect a defendant to the data breach.

Such evidence can include computer forensics proving actions were made by the defendant and even circumstantial evidence including "postings on social media, things she may have said to friends, any sort of evidence, but certainly the most valuable would be any direct evidence they have and not circumstantial evidence," Toren said.

Prosecuting data breach cases also requires tracking and preserving digital evidence in a manner that complies with the rules of evidence, which have struggled to keep pace with technology's evolution, said Fordham University School of Law professor Cheryl Bader, a former assistant U.S. attorney for the District of New Jersey.

"Applying traditional rules of evidence to a changing technological landscape is sometimes like trying to fit a square peg into a round hole," she said. But she noted prosecutors are improving their understanding of how to prosecute technology-intensive cases, and judges are interpreting the rules of evidence "so the underlying purpose of the rules of evidence, which is to foster reliability, can be applied to virtual nonphysical facts."

After collecting their evidence, when prosecutors are arguing their case they'll also be tasked with explaining highly technical terms to jurors or a judge.

"I think one of the tasks is to draw that paperless paper trail showing the particular commands that would have allowed her to have access to this particular data and break down the evidence for the jury," Bader said.

Indeed, connecting the dots between actions and outcomes are paramount to proving data breach, such as in Julian Assange's case where he was charged with conspiracy to commit computer intrusion.

However, connecting someone to a data breach can be difficult, because many hackers work diligently to make their work untraceable.

"Often one of the biggest obstacles to these cases is identifying the individual hacker because they try to keep their identities secret," Bader said.