A U.S. federal appeals court has ruled that the five-year probation sentence given to Paige Thompson, the hacker behind Capital One‘s massive 2019 data breach, was too lenient. The court ordered the case back to district court for resentencing.
Case Background
- Thompson, a former Amazon employee, stole data from 100 million U.S. and 6 million Canadian customers
- Exploited misconfigured AWS firewalls using custom scanning tools
- Caused “tens of millions in damages” (2nd largest breach at the time)
- Capital One paid 80M fines 190M in lawsuit settlements
Court’s Ruling
The 2-1 appellate decision found the original court:
- Erred in concluding Thompson’s actions weren’t “malicious”
- Improperly dismissed the severity of pre-detection harm
- Over-relied on Thompson being transgender and autistic as mitigating factors
“These findings were not supported by the record,” stated the judges, while acknowledging these personal factors could be considered alongside the crime’s severity.
Next Steps
The case returns to district court for resentencing. Thompson still faces potential prison time under the Computer Fraud and Abuse Act.