It’s not just me who thinks this light sentence doesn’t sound like justice, it’s the Biden DOJ. According to their press release, the judge went easy on hacker Paige Thompson because he felt prison would be tough on a trans woman with mental health problems.

A 37-year-old former Seattle tech worker was sentenced today in U.S. District Court in Seattle to time served and 5 years of probation…At the sentencing hearing U.S. District Judge Robert S. Lasnik said, time in prison would be particularly difficult for Ms. Thompson because of her mental health and transgender status.

“While we understand the mitigating factors, we are very disappointed with the court’s sentencing decision.  This is not what justice looks like,” said U.S. Attorney Nick Brown.  “Ms. Thompson’s hacking and theft of information of 100 million people did more than $250 million in damage to companies and individuals. Her cybercrimes created anxiety for millions of people who are justifiably concerned about their private information.  This conduct deserves a more significant sanction.”

Thompson was convicted of seven hacking charges in June of this year and prosecutors had been asking for a seven year sentence.

Asking the court to impose a seven-year sentence, prosecutors wrote in their sentencing memo, “…Thompson’s crimes … were fully intentional and grounded in spite, revenge, and willful disregard for the law. She exhibited a smug sense of superiority and outright glee while committing these crimes…. Thompson was motivated to make money at other people’s expense, to prove she was smarter than the people she hacked, and to earn bragging rights in the hacking community.”

Thompson was arrested on July 29, 2019 and released on bond in early November:

Paige Thompson was granted bond on Monday. She surrendered her passport and will live in a halfway house. Officials also said Thompson will wear a GPS monitor and isn’t allowed to use computers or the internet.

So time served in this case means about three months in jail and just under two years at a halfway house. Not much of a sentence given the magnitude of the data theft.

This case made a lot of news back in 2019 when Thompson was arrested. She had worked at Amazon’s cloud services and hacked into a series of businesses including Capital One partly to set up crypto mining on their computers and partly to download their client data.

Capital One Financial Corp. said data from about 100 million people in the U.S. was illegally accessed after prosecutors accused a Seattle woman identified by Amazon.com Inc. as one of its former cloud service employees of breaking into the bank’s server…

It included a wide array of personal data, such as names, addresses, phone numbers, dates of birth, self-reported income, credit scores and fragments of transaction history.

About 140,000 Social Security numbers were accessed, as well as 80,000 bank account numbers from credit-card customers, the bank said…

In court on Monday, Thompson broke down and laid her head down on the defense table during the hearing.

Thompson uploaded some of that data to her personal GitHub site which is how she got caught. Someone noticed the data and notified Capital One that it was out there. Capital One verified it was their data and contacted the FBI. Thompson never sold or profited from the stolen data but the complaint noted that she apparently intended to do so. On her Twitter account she posted this:

The criminal complaint states, “I understand this post to indicate, among other things, that Paige A. Thompson intended to disseminate data stolen from victim entities, starting with Capital One.” But either because she never really meant to do it or because she got caught before she could, distribution of the stolen data never happened. Regardless, the hacking did cost Capital One (and ultimately their customers) a lot of money:

Capital One Financial agreed to pay $190 million to settle a class-action lawsuit that customers filed against the firm after a hacker — purportedly a Seattle woman who had held a day job with Amazon Web Services — broke into its cloud-computing systems and stole their personal information.

Again, I’m not surprised the DOJ is disappointed with the sentence in this case. It seems really light given the magnitude of the data theft. It also seems like it sends a very bad message to other hackers about what awaits them if they are caught.

Update: Here’s a local news report from 2019 on Thompson’s arrest.