A US appeals court has overruled the sentence given to the hacker behind the huge 2019 Capital One data breach, saying it was too lenient.
In 2022, Paige Thompson was sentenced to five years’ probation plus time served for wire fraud violating the Computer Fraud and Abuse Act.
Thompson, a former Amazon employee, accessed information relating to about 100 million American and six million Canadian customers that was sitting on Amazon Web Services servers.
According to her indictment at the time, Thomson created scanning software that allowed her to identify customers of AWS who had misconfigured their firewalls, allowing outside commands to penetrate and access their servers. She then used the access to steal data.
Overruling her sentence two-to-one, the panel of appeal court judges say this was the second largest data breach in the US at the time, and caused "tens of millions of dollars in damage and emotional and reputational harm to numerous individuals and entities".
The hack was costly for Capital One, which was fined $80 million by regulators and paid out another $190 million in customer lawsuits.
The judges held that it was a "clear error for the district court to conclude that Thompson’s actions were not “malicious,” that Thompson did not do anything “bad” before she was caught, and that Thompson was “tortured and tormented about what she did,” given that these findings were not supported by the record."
While the district court was right to take into account the fact that Thompson is transgender and autistic during sentencing, the appeal court says this may not be the sole basis for sentencing.
The case is now being sent back to the district court level for resentencing.