Cybersecurity

Capital One hacker Paige Thompson got too light a sentence, appeals court rules

Two of the three judges said five years’ probation and time served didn’t match the severity of the crime, among other reasons for overturning the sentence.

By Tim Starks

March 19, 2025

Listen to this article

0:00

This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.

Flowers bloom in front of the entrance to the Capitol One financial services company headquarters on Sept. 12, 2024, in McLean, Va. (Photo by J. David Ake/Getty Images)

A federal appeals court overruled a district court judge’s sentence for Capital One hacker Paige Thompson this week, deciding that the sentence of five years’ probation plus time served was too lenient.

Describing the hack as the “second largest data breach in the United States at the time, causing tens of millions of dollars in damage and emotional and reputational harm to numerous individuals and entities,” two of three judges from the 9th Circuit Court of Appeals said they believed that the sentence was “substantially unreasonable.”

In deciding on the original sentence in 2022, U.S. District Judge Robert Lasnik considered that Thompson was transgender, autistic and had suffered past trauma. He raised the prospect of Bureau of Prisons decisions under a future presidential administration making life more difficult for transgender inmates. He also noted that the hack wasn’t done in a “malicious manner” and that Thompson was “tormented” about her activities.

Thompson was charged with stealing data on 106 million Capital One customers after taking advantage of a misconfigured firewall in the bank’s cloud computing system. Over the course of the investigation, the government found terabytes of additional data Thompson took from more than 30 organizations.

Prosecutors swiftly appealed the sentence, with then-U.S. Attorney Nick Brown saying “this is not what justice looks like.” They argued that the judge gave too much weight to Thompson’s history and personal characteristics.

“We agree that the district court overemphasized Thompson’s personal story,” Judge Danielle Forrest wrote, with Judge Johnnie Rawlinson concurring. “Thompson’s personal background and characteristics are, of course, proper considerations at sentencing, but they may not be the sole basis for the chosen sentence.”

The ruling also disputed the district judge saying the hack wasn’t malicious, or that Thompson was tortured over her behavior. Thompson, a former Amazon Web Services software engineer, blamed victims’ incompetence for the theft and encouraged others to hack them, and she also bragged about what she did, the ruling states.

Therefore, with a maximum sentence of 210 months, the sentence was too lenient, it reads.

President Donald Trump appointed Forrest. President Bill Clinton appointed Rawlinson. The third appeals court judge, Jennifer Sung, appointed by President Joe Biden, took issue with the duo’s decision.

What matters most is whether the district judge engaged in “abuse of discretion,” such as a procedural error, and there’s no sign of that in the Thompson sentence, Sung wrote.

The full quote on Lasnick’s “malicious manner” comment sheds more favorable light on the judge’s viewpoint, Sung observed. Lasnik said did not act “in the malicious manner that you want to punish, to the same degree as somebody who gets that information and immediately turns to monetizing it in some way,” Sung noted. Thompson also showed signs of being tormented over her activities, openly seeking jail or death.

While the majority said prospective future administrations’ actions on transgender inmates shouldn’t play a role in sentencing, Sung said the district court correctly noted that it was “dealing with Paige Thompson, what she did, who she is, is the dilemma before the court today,” and therefore the sentence gave proper weight to her being transgender.

The Center for Cybersecurity Policy and Law, in a friend of the court brief in support of the government appeal, said it wouldn’t give its opinion on how long Thompson’s sentence should be. But it asked the court to clarify one element in its ruling.

“It is critical for legal frameworks to maintain the distinction between good-faith security research and harmful criminal activities,” it wrote in its brief. “The Center is interested in this proceeding because a perception that the sentencing at issue was based on the Defense’s arguments in the District Court that the charged conduct was good-faith security research risks eroding the distinction between good-faith security research and harmful criminal activity.

“Addressing this distinction is needed to ensure ethical research is not conflated with actions like the Defendant’s and thus prevent undermining trust between the security, business, and policy communities,” it continued.

The appeals court ruling made no mention of good-faith security research.

Mo Hamoudi, an attorney for Thompson, did not immediately respond to requests for comment.

The case is being sent back to the district court level for resentencing.