Kind of torn on this one. On the one hand, the fact that PII was exfiltrated should be taken very seriously. The sentence seems a bit light on this one. Though, at the same time, his being in prison isn't going to change anything for the people who had their PII compromised and at least he was charged and convicted. That alone is a big step forward for the US legal system where normally these sorts of crimes end with the company raiding the CEO's hookers and blow petty cash box to pay the fine and that's the end of it. I know... won't someone think of the executives!?
The "bug bounty" bit... meh. I suppose it could technically be seen as some kind of market manipulation or other fraud, and while he should have known better, there's a very good chance he wasn't some rogue actor who took it upon themselves to take this action alone. It was likely cleared with others like the CFO and CEO. On that one, probation and community service seems on the light, but fair side. Probation isn't as easy as a lot of people think. You have to regularly check in with your PO, live by a bunch of arbitrary rules set by your PO, you can be in violation of your parole if you don't have a job and getting a job with a felony conviction can be difficult, plus it's often times ridiculously expensive. His community service should be having to work for some credit monitoring outfit or something that is largely related to what he was convicted of, not just picking up trash on the side of the road or something.