Pretty much. The US were kinda embarrassed by this guy. From what I've read, the $800K of damages was actually just him logging in with a VNC client using a blank password, then clicking around. I wouldn't be surprised if they spent $800K securing the systems he accessed and then claimed that was the 'damage'.
See also the raid on Steve Jackson games where documents available in public libraries (and which were also sold to the public) were claimed to be sensitive secrets worth many thousands of dollars.
And yet we seem to be taken by surprise, well, almost every time. The nature of the business is such that we just have to trust that they're actually doing something besides sitting on their collective asses in Langley and counting down the days to retirement.
I realize we need a foreign intelligence service, but I'm not sure we need this foreign intelligence service. There are 14 separate US government agencies that collect intelligence in other countries as part of their mission. We might be able to do without the CIA.
So we just make shit up now, to make things look as bad as possible and as worth prosecution as possible?