The Ninth Circuit Court of Appeals has upheld Matthew Keys' conviction and sentence of two years for a 40-minute web defacement he didn't actually perform himself. That works out to basically 18 days for every minute of mild disruption the LA Times suffered, as it (very briefly) suffered through a headline changed to read "Pressure builds in House to elect CHIPPY 1337."
Prosecutors actually wanted five years for this momentary mild hacking, but still managed to end up with two years after the LA Times submitted enough paperwork to make it appear as though this 40-minute malicious hiccup racked up $1 million in CFAA damages.
The appeals court isn't there to question the accuracy of the LA Times' bill of lading, but it does use the inflated figure to affirm the part of the sentencing affected by the claimed damages. From the unpublished opinion [PDF]:
Concerning employee response time, the district court did not abuse its discretion by relying on loss estimates based on employees’ testimonies or on the worksheet prepared by a Fox 40 executive. In response to Keys’s challenge to inconsistencies in the employee salary evidence, the district court appropriately re-reviewed the trial testimony and considered the amount in light of national statistics on the value of non-liquid employee benefits.
The government presented evidence that nearly all of the 20,000 Fox 40 Rewards Program members cancelled their participation in response to Keys’s conduct. Starting essentially from square one, the database took three years to rebuild. The district court did not abuse its discretion in relying on the Fox 40 executive’s representation that this process cost $200,000. It was appropriate for the district court to order restitution in the amount it cost Fox 40 to replace the member database, as it would be difficult to determine the fair market value of such an asset.
Basically, this database could have been worth any amount, so why not the $200k the LA Times claims it's worth. That adds to the restitution amount owed by Keys and also plays a small part in the sentencing. But in total, this is overkill for a 40-minute web defacement, especially one performed by someone else using Keys' login credentials. The move may have been petty and amateurish but it's extremely difficult to believe the momentary elevation of Chippy 1337 to the front page of the LA Times' website warrants a two-year sentence and thousands of dollars in fines.
But it appears the DOJ is happy with this outcome. And having completed its prosecution of Keys, it's presumably performing an OJ Simpson-style hunt for the person who actually performed the defacement.