A U.S. federal appeals court has ruled that the sentence handed to Paige Thompson, the hacker behind the 2019 Capital One data breach, was too lenient and must be reconsidered. Thompson, a former Amazon software engineer, had been convicted of wire fraud and violations of the Computer Fraud and Abuse Act. In 2022, she was sentenced to time served and five years of probation. However, the Ninth Circuit Court of Appeals has now overturned that decision, citing the severity and scale of the cyberattack.
Thompson’s actions led to one of the largest data breaches in U.S. history, exposing sensitive financial and personal information of over 100 million Americans and 6 million Canadians. She exploited misconfigured firewalls on Amazon Web Services (AWS) servers, scanning for vulnerabilities that allowed her to infiltrate Capital One’s systems and extract massive troves of customer data. The breach cost the bank heavily—Capital One was fined $80 million by U.S. regulators and later agreed to a $190 million settlement to resolve customer lawsuits.
In a 2-1 decision, the appeals court sharply criticized the original sentencing judge’s conclusion that Thompson did not act with malicious intent. The panel found this assessment to be a “clear error,” stating that the record showed significant wrongful conduct before Thompson was caught. The judges emphasized the emotional, financial, and reputational damage suffered by affected individuals and institutions, underscoring that the light sentence failed to reflect the full scope of the harm caused.
The court acknowledged that Thompson’s transgender identity and autism were taken into account during sentencing, but asserted that these factors, while relevant, should not outweigh the seriousness of the offense. The ruling sends the case back to the lower court for resentencing, signaling a broader judicial intent to reinforce accountability in high-impact cybercrime cases.
This decision not only sets the stage for a harsher penalty but also reaffirms the importance of proportional sentencing in cybersecurity breaches. As data privacy and digital infrastructure become increasingly critical to public trust, the judiciary appears poised to treat such violations with growing seriousness.
