First, the SAR thresholds are not absolute - you can always report on a SAR activity that is below those thresholds.
FDIC put out some guidance on your question a few years ago in FIL 124-97 at http://www.fdic.gov/news/news/financial/1997/fil97124.html that may help you. Also, in FIL 98-98 they reinforce my point above by encouraging institutions to file an SAR whenever they become aware of any attempt to access customer information via pretext calling.
Even if your illegal computer access resulted in no monetary loss, the potential for loss far in excess of the SAR reporting thresholds occurs whenever there is illegal computer access. You mentioned defacing the bank's website. How do you quantify the loss associated with that? How many potential customers did you lose? You'll never know.
------------------
Opinions expressed are my own, and do not necessarily reflect those of my employer.