A U.S. appeals court has overturned the sentence of the individual responsible for the significant 2019 Capital One data breach, deeming the original penalty too lenient.
In 2022, Paige Thompson, a former employee of Amazon, received a sentence of five years’ probation along with time served for charges related to wire fraud and violations of the Computer Fraud and Abuse Act. Thompson exploited vulnerabilities in Amazon Web Services (AWS) to access sensitive information affecting approximately 100 million American customers and six million Canadian customers.
Court documents indicate that Thompson developed scanning software to identify AWS customers with improperly configured firewalls, which allowed her to execute external commands and access their servers. This unauthorized entry enabled her to steal critical data.
In a two-to-one decision, the appellate court highlighted that this incident constituted one of the largest data breaches in U.S. history, leading to “tens of millions of dollars in damages and emotional and reputational harm to numerous individuals and entities.” The financial repercussions for Capital One included an $80 million fine from regulators and an additional $190 million in settlements related to customer lawsuits.
The judges criticized the district court for concluding that Thompson’s actions lacked “malicious” intent, asserting that these findings were unsupported by the evidence presented. While the initial court appropriately considered Thompson’s transgender identity and autism during sentencing, the appellate court indicated that these factors should not be the sole determinants of her punishment.
As a result, the case has been remanded to the district court for reevaluation and resentencing.