[ISN] Hacker found guilty in massive data theft case

InfoSec News isn at c4i.org
Tue Aug 16 02:19:05 EDT 2005


By China Martens
IDG News Service

A Florida man was found guilty of stealing data from customer
information management company Acxiom Friday. The prosecution
estimates that Scott Levine and his defunct bulk e-mail marketing firm
Snipermail.com stole more than 1.6 billion customer records by hacking
into an Acxiom server.

A jury in Little Rock, Ark., convicted Levine, of Boca Raton, on 120
counts of unauthorized access of a protected computer, two counts of
access device fraud and one count of obstruction of justice. The jury
cleared him of 13 counts of unauthorized access of a protected
computer, one count of conspiracy and one count of money laundering.

"Those who steal private information can expect to be aggressively
investigated and brought to justice," Deputy Assistant Attorney
General Laura Parsky, said in a Friday statement from the U.S.  
Department of Justice.

The criminal investigation was jointly conducted by the FBI and the
U.S. Secret Service, Criminal Investigation Division. Levine was
charged on July 21, 2004, with breaking into an Acxiom computer
database to steal personal data. Levine and other Snipermail staff
downloaded around 8.2G bytes of personal data from the Acxiom server
between April 2002 and August 2003, according to the Justice

Levine's case went to trial on July 11, 2005, and the jury started its
deliberations on Aug. 10. Sentencing by U.S. District Court Judge
William Wilson is set for Jan. 9, 2006. The maximum sentences for
Levine's convictions would total 640 years in prison and/or fines of
$30.75 million. Each count of which he's been convicted has a maximum
associated fine of $250,000, while maximum prison time for each of the
offenses range between five and 20 years.

Several former Snipermail employees testified against Levine that they
and he had conspired to cover up physical evidence relating to the
break-ins and data theft.

"This case sends a clear message that cybercrime will not be
tolerated, and Acxiom is satisfied and pleased by the verdict," Acxiom
said in a statement released Friday. "We believe this case sets an
example and will deter others who may be attempting, or even
contemplating, attacks on data security."

Since the security breaches were first uncovered and stopped in the
summer of 2003, Acxiom has committed to better protecting its systems
and the data those systems contain, according to the company.

"We have improved our intrusion detection, vulnerability scanning and
encryption systems, enhanced our internal and external audit
practices, and are fully committed to working with our clients and
outside experts to ensure continuous improvement in our security
environment," Acxiom said in the statement. "There is no evidence that
any individuals are at risk of harm due to the breaches. It is also
important to note that only one external server was accessed, and
there was no intrusion of Acxiom's internal security firewalls or
internal databases."

Investigators from the Sheriff's Office in Hamilton County, Ohio,
stumbled across Levine's database hacking while engaged in an
unrelated investigation that Ohio resident Daniel Baas had illegally
accessed and downloaded data from an Acxiom server. Baas later pled
guilty to federal charges in Ohio on Dec. 2, 2003.

More information about the ISN mailing list