He could have thought that the organization was too corrupt and incompetent to track the attack. He might have been unaware of law enforcement investigation procedures, or jurisdiction risks.

It would be common for script kids to lack sophistication in forensics, legal risk analysis, and not really understand the magnitude of their crime.

Assuming there is no evidence that he was getting paid by a third party to do this, I think his defense could have argued he was a naive and immature prankster that didn't think they were doing real damage, not a hardened criminal intentionally causing damage for profit.

He only got 2 years. Seems light, for nearly a million dollars in damages, right?

A 2-year vacation with free food and housing and criminal advocacy, and then try again maybe with more professional approaches? The birth of a real pro!

Doesn't sound so bad honestly. He'll be 41 when he gets out, and ready to strike again! Maybe he'll get a big brain, and go straight into security consultancy, a la Mitnick! Either way, the kid just made his boldest career move! Wishing him all the best of luck!

When the company let him leave without invalidating his credentials, he developed the idea that he could act with impunity because the company was just completely incompetent on the security front.

The problem was that he acted without knowledge of modern forensics.