Hacker Gets Probation for Massive Capital One Data Breach

The judge cites the hacker's mental health and transgender status in declining to sentence her to prison.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read
Capitol One sign
Getty Images

The hacker responsible for the massive 2019 data breach of Capital One has been sentenced to time served and five years of probation.

US District Judge Robert S. Lasnik said that sentencing former Amazon systems engineer Paige Thompson to time in prison would've been "particularly difficult on her because of her mental health and transgender status," the Department of Justice said in a statement.

US Attorney Nick Brown said in a statement that he was "very disappointed" with the sentencing decision. "This is not what justice looks like," he said. Thompson had faced up to 20 years in prison for wire fraud, but prosecutors instead had sought a seven-year sentence.

The hack, one of the largest-ever breaches of a financial services company, affected more than 100 million US customers and involved the theft of sensitive data including Social Security and bank account numbers. In addition to downloading data, Thompson planted cryptocurrency mining software on servers and directed crypto to her online wallet, the Justice Department said.

"Ms. Thompson's hacking and theft of information of 100 million people did more than $250 million in damage to companies and individuals," Brown said. "Her cybercrimes created anxiety for millions of people who are justifiably concerned about their private information. This conduct deserves a more significant sanction."

Thompson, 37, was found guilty in June of wire fraud, unauthorized access to a protected computer and damaging a protected computer. She was acquitted on charges of aggravated identity theft and access device fraud.

Capital One agreed last year to pay $190 million to settle a class-action lawsuit filed by customers. In 2020, Capital One agreed to pay $80 million to settle claims by federal bank regulators that it failed to protect the data.

A hearing is scheduled for Dec. 1 to determine the amount of restitution Thompson must pay to her victims.