Would this truly fit "real damage" in your opinion? Based on the outcome I'd project it doesn't - but the real question is do you feel the potential punishment is representative of the crime?
I'm guessing the actual monetary value assessed was some consultative analysis paid out to investigate the "breach", beyond that I find it hard to believe the actual cost to fix was more than three figures.
Of course it does. And if they paid forensic analysts to track down the breach, they got the deal of a lifetime; we don't do that kind of work, but of course work with other firms that do, and $15k is below table stakes for that kind of work. A high-profile forensics investigation can clear 50k easy.
And again, while cost accelerators on sentences are disquieting and a serious problem, they're not the fulcrum for Keys' outcome; it's the combination of cost, overtly damaging acts, and abuse of authority that combine to put Keys in Zone C. Put differently: had Keys not been a Reuters employee, he'd be eligible for probation. (He could still be, depending on what the prosecution does and doesn't manage to prove. Unlike drug defendants, Keys has excellent representation.)
What if Tribune had a sister company in some other country (Australia) that did something completely unrelated. Sell children's toys or something.
An admin for the sister company gives up his credentials in order for Anonymous to deface the children's site. They instead use it to deface the Chicago Tribune.
The admin has no earthly clue that the systems are inter-related. In fact, they've been told that the systems are independent by design; anonymous found a very clever flaw.
Is he as guilty as your hypothetical Tribune admin who gave up his password to deface the Tribune?
As I understand it, he's guilty, but potentially not as guilty.
He's an accomplice if he understood the goals of Anonymous, gave them credentials to further their acts, but didn't map out with them exactly what they were going to do --- accomplice liability is for all intents in purposes liability.
On the other hand, if he casually gave them credentials because what the fuck who cares, and had no understanding that Anonymous might deface a website, he have lesser liability, or might not be liable for the defacement of the website while remaining liable for a reduced or lesser number of CFAA charges.
I'm guessing the actual monetary value assessed was some consultative analysis paid out to investigate the "breach", beyond that I find it hard to believe the actual cost to fix was more than three figures.