It's grim. Thompson did just about everything they could have done to escalate their sentence short of finding a way to traffic explosive devices or desecrate a veterans cemetery. The sentence in reality will come down to how they account for losses to the victims, but any plausible number here rockets you to the bottom of the sentencing table (the difference between 50MM and 250MM in the sentencing guidelines is much smaller than the difference between $5k and $100k).
Roughly here, you get:
6 base sentence level for 2B1.1 crimes
+20-28 victim loss(!)
+4 multiple victims
+2 sophisticated means or multiple jurisdictions
+2 trafficking in access devices (incl. account numbers)
+4 (maybe) jeopardizing the safety of a financial institution
+2 PII
+4 malware (the indictment more or less demands this one)
+2 obstruction or destruction of evidence
Assume no criminal history for the defendant, then, without replicating the whole table, level 10 is 6-12 months, level 20 is 3 years, level 30 is 7-9 years, and level 40 is 25-30 years.
That's a good catch; I just grabbed the indictment from PACER. Worth noting though that they don't have to find Thompson guilty on those counts to trigger those accelerators (and it's hard to believe Thompson could dodge the PII sentencing modification since there's zero doubt as to whether their conduct involved PII).
Ultimately though I think it'll come down to how much money Capital One lost dealing with this and the aftermath (again, I assume less the fines and lawsuit).
I break into computers for a living, and stories like this are in the news all the time. I'd probably do much worse at, like, an embezzlement case.
I'm also probably (I hope) wrong about the 2b1.1 loss calculation here; I read the USSC primer on it and it's not super clear but leans me towards the idea that a penalty assessed on Capital One for doing a poor job securing their data can't be included in a loss assessment against Thompson, and I'm not clear that the damages for a settled lawsuit over same could apply either.
So total losses could be in the single-digit millions (as a general rule of thumb, you can't get convicted in federal court of hacking a real company and incur less than ~100k in damages, simply because of the cost of insurance-mandated forensics investigations --- here I don't really see any chance that the "actual damages" could have been less than 7 figures given the magnitude of what was stolen).
There is also, per the USSC document, a formula for computing damages "per access device", where "access device" is a term of art that includes account numbers, so that could also generate a nosebleed sentence.
For no reason whatsoever, just based on doing this exercise for every 18 USC 1030 case that's been in the news for the last decade or so, my wild-ass underinformed guess is that the sentence will end up under 10 years, but more than 5.
He does security for a living. It seems pretty important to know how much jail time you would be facing if you cross the line from whitehat to blackhat (including who legally gets to decide that line).
Another story about the case says "up to 20 years" but I assume that comes with all the usual caveats, e.g. they may have just totaled up the maximum sentence from each individual count as if they had to be served consecutively.
Roughly here, you get:
Assume no criminal history for the defendant, then, without replicating the whole table, level 10 is 6-12 months, level 20 is 3 years, level 30 is 7-9 years, and level 40 is 25-30 years.