That is the message here.
IMHO, the "punishment" trajectory should aim toward Capital One. After all they are the ones who ultimately fucked up.
Frankly; Oh dear my ex-employee, or someone "trusted" who was pissed off because I/We didn't think I/We did anything to piss them off is not an admissible excuse.
Why anyone should weep for a multi-billion dollar company while crowing "throw the bitch in jail" for exposing their lacking security practices is beyond me.
Who is the criminal. A large mega-corp who could not keep their shit straight or an individual who proved their security perfectly invalid, and then told us!
Cry me a river...