CFAA cases recently prosecuted

http://www.cybercrime.gov/cccases.html

Below is a list of press releases from recently prosecuted computer crime cases, including the cases summarized in the chart above.

Year 2006

• Former Federal Computer Security Specialist Sentenced for Hacking Department of Education Computer (May 12, 2006)
• “Botherder” Dealt Record Prison Sentence for Selling and Spreading Malicious Computer Code (May 8, 2006)
• California Man Pleads Guilty in “Botnet” Attack That Impacted Seattle Hospital and Defense Department (May 4, 2006)
• San Diego Computer Expert Charged with Hacking into U.S.C. Computer System Containing Student Applications (April 20, 2006)
• Former Federal Computer Security Specialist Pleads Guilty to Hacking Department of Education Computer (March 1, 2006)
• Cleveland, Ohio Man Sentenced to Prison for Bank Fraud and Conspiracy (February 28, 2006)
• Former Officer of Internet Company Sentenced in Case of Massive Data Theft from Acxiom Corporation (February 22, 2006)
• Grand Jury Returns Indictment Charging Student with Accessing Protected Computer at University of Utah (February 17, 2006)
• Utah Man Charged with Bringing Down Wireless Internet Services in Vernal Region (February 15, 2006)
• California Man Indicted for Botnet Attack That Impacted Hospital (February 10, 2006)
• Florida Man Indicted for Causing Damage and Transmitting Threat to Former Employer”s Computer System (February 7, 2006)
• Bot Herder Pleads Guilty to Fraudulent Adware Installs and Selling Zombies to Hackers and Spammers (January 23, 2006)
• Dayton, Ohio, Man Pleads Guilty to Sexual Exploitation Crimes Involving Minors and Computer Intrusion (January 19, 2006)

Year 2005

• Man Pleads Guilty to Infecting Thousands of Computers Using Worm Program then Launching them in Denial of Service Attacks (December 28, 2005)
• Silicon Valley Engineer Indicted for Stealing Trade Secrets and Computer Fraud (December 22, 2005)
• Former RNC New England Regional Director Convicted in New Hampshire Phone Jamming Case (December 15, 2005)
• Six Defendants Plead Guilty in Internet Identity Theft and Credit Card Fraud Conspiracy (November 17, 2005)
• Computer Virus Broker Arrested for Selling Armies of Infected Computers to Hackers and Spammers (November 3, 2005)
• Houston Man Pleads Guilty to Federal Identity Theft Charges, Says Justice Department (November 1, 2005)
• Massachusetts Teen Convicted for Hacking into Internet and Telephone Service Providers and Making Bomb Threats to High Schools in Massachusetts and Florida (September 8, 2005)
• Federal Jury Convicts Former Technology Manager of Computer Hacking Offense Defendant Found Guilty of Placing Computer “Time Bomb” On Employer”s Network Following Employment Dispute (September 8, 2005)
• Creator and Four Users of Loverspy Spyware Program Indicted (August 26, 2005)
• Justice Department Announces Conviction of Florida Man Accused of Massive Data Theft from Acxiom, Inc.(August 12, 2005)
• Disgruntled Phillies Fan/Spammer Sent to Prison for Four Years (July 14, 2005)
• Former IT Manager of Silicon Valley Firm Pleads Guilty to Computer Crime Charges (June 8, 2005)
• Former Alta Vista Employee Pleads Guilty to Hacking into Alta Vista Computer Systems (May 9, 2005)
• Former Computer Science Graduate Student Sentenced for Hacking Major Corporations (April 25, 2005)
• Pleasant Hill, California Computer Hacker from “Deceptive Duo” Guilty of Intrusions into Government Computers and Defacing Websites (March 11, 2005)
• Queens Man Sentenced to 27 Months’ Imprisonment on Federal Charges of Computer Damage, Access Device Fraud and Software Piracy (February 28, 2005)
• Former IT Manager of Software Firm Indicted on Computer Crime Charges (February 16, 2005)
• Computer Hacker Who Victimized T-Mobile Pleads Guilty in Los Angeles Federal Court (February 15, 2005)
• Juvenile Sentenced for Releasing Worm That Attacked Microsoft Web Site (February 11, 2005)
• Minnesota Man Sentenced to 18 Months in Prison for Creating and Unleashing a Variant of the MS Blaster Computer Worm (January 28, 2005)

Year 2004

• Hacker Sentenced to Prison for Breaking into Lowe’s Companies’ Computers with Intent to Steal Credit Card Information (December 15, 2004)
• Nineteen Individuals Indicted in Internet ‘Carding’ Conspiracy (October 28, 2004)
• Ex-Official of Manhattan Computer Consulting Firm Pleads Guilty to Computer Attack Charge (September 9, 2004)
• California Man Admits Hacking Into Computers of High-Technology Company (August 31, 2004)
• Former Employee of a Massachusetts High-Technology Firm Charged with Computer Hacking (August 23, 2004)
• Six Internet Fraudsters Indicted in International Conspiracy to Steal More Than $10 Million From World’s Largest Technology Distributor (August 4, 2004)
• Vallejo, California Woman Admits to Embezzling More Than $875,035 (July 28, 2004)
• Florida Man Charged with Breaking into Acxiom Computer Records (July 21, 2004)
• China Citizen Pleads Guilty to Unauthorized Access of a Software Company with Intent to Defraud (July 7, 2004)
• Seattle, Washington Man Arrested for Hacking into Internet Search Engine Alta Vista (July 2, 2004)
• Federal Judge Sentences Staten Island, New York Ex-Official of Local Internet Service Provider to Prison for Computer Attack (June 16, 2004)
• Pennsylvania Man Sentenced to Prison for Accessing Massachusetts Investor’s On-line Investment Account and Making $46,000 in Unauthorized Trades (May 5, 2004)
• Former Employee of Viewsonic Sentenced to One Year for Hacking into Company’s Computer, Destroying Data (February 23, 2004)
• Two California Men Indicted for Unlawfully Obtaining Credit Information, Attempted Credit Fraud (February 10, 2004)
• Former Employees of Dallas-based Car Parts Distributorship Charged with Repeatedly Intruding into Competitor’s Computer Database for Commercial Advantage and Illegally Trafficking in Computer Passwords. (February 9, 2004)
• Louisiana Man Arrested for Releasing 911 Worm to WebTV Users (February 19, 2004)
• Man Pleads Guilty to Gaining Unauthorized Access and Recklessly Damaging Computers of Several High-Technology Companies Including eBay and Qualcomm From His Graduate School Dorm Room (January 29, 2004)
• Hacker Pleads Guilty in Manhattan Federal Court to Illegally Accessing New York Times Computer Network (January 8, 2004)

Year 2003

• Milford, Ohio Man Pleads Guilty to Hacking (December 18, 2003)
• Former Hellmann Logistics Computer Programmer Sentenced for Unauthorized Computer Intrusion (December 5, 2003)
• Former Employee of American Eagle Outfitters Sentenced to Prison for Password Trafficking and Computer Damage (December 2, 2003)
• Three Men Indicted for Hacking into Lowe’s Companies’ Computers with Intent to Steal Credit Card Information (November 20, 2003)
• Two Alleged Computer Hackers Charged in Los Angeles as Part of Nationwide ‘Operation Cyber Sweep’ (November 20, 2003)
• Two Alleged Computer Hackers Charged in Los Angeles as Part of Nationwide ‘Operation Cyber Sweep’ (November 20, 2003)
• Dallas, Texas FBI Employee Indicted for Public Corruption (November 5, 2003)
• Disgruntled Philadelphia Phillies Fan Charged with Hacking into Computers Triggering Spam E-mail Attacks (October 7, 2003)
• Former Employee of Viewsonic Pleads Guilty to Hacking into Company’s Computer, Destroying Data (October 6, 2003)
• President of San Diego Computer Security Company Indicted in Conspiracy to Gain Unauthorized Access into Government Computers (September 29, 2003)
• Juvenile Arrested for Releasing Variant of Blaster Computer Worm That Attacked Microsoft (September 26, 2003)
• U.S. Charges Hacker with Illegally Accessing New York Times Computer Network (September 9, 2003)
• Minneapolis, Minnesota 18 year old Arrested for Developing and Releasing B Variant of Blaster Computer Worm (August 29, 2003)
• Former Computer Technician in Douglasville, Georgia Arrested for Hacking into Government Computer Systems in Southern California (August 25, 2003)
• Russian Man Sentenced for Hacking into Computers in the United States (July 25, 2003)
• FBI Employee Arrested and Charged in Three Federal Indictments (July 17, 2003)
• Queens, New York Man Pleads to Federal Charges of Computer Damage, Access Device Fraud and Software Piracy (July 11, 2003)
• Kazakhstan Hacker Sentenced to Four Years Prison for Breaking into Bloomberg Systems and Attempting Extortion (July 1, 2003)
• Southern California Man Who Hijacked Al Jazeera Website Agrees to Plead Guilty to Federal Charges (June 12, 2003)
• Computer Hacker Sentenced to One Year and One Day And Ordered to Pay More than $88,000 Restitution For Series of Computer Intrusions and Credit Card Fraud (June 12, 2003)
• Three Californians Indicted in Conspiracy to Commit Bank Fraud and Identity Theft (May 12, 2003)
• Ex-employee of Airport Transportation Company Guilty of Hacking into Company’s Computer (April 18, 2003)
• San Jose, California Man Indicted for Theft of Trade Secrets and Computer Fraud (April 2, 2003)
• Student Charged with Unauthorized Access to University of Texas Computer System (March 14, 2003)
• St. Joseph Man Pleads Guilty in District’s First Computer Hacking Conviction (March 13, 2003)
• Computer Hacker Pleads Guilty to Computer Intrusion and Credit Card Fraud (March 13,2003)
• California Woman Convicted for Unauthorized Computer Access to Customer Account Information in Credit Union Fraud Prosecution (March 10, 2003)
• Los Angeles, California Man Sentenced to Prison for Role in International Computer Hacking and Internet Fraud Scheme (February 28, 2003)
• Former Employee of American Eagle Outfitters Indicted on Charges of Password Trafficking and Computer Damage (February 26, 2003)
• U.S. Convicts Kazakhstan Hacker of Breaking into Bloomberg L.P.’s Computers and Attempting Extortion (February 26, 2003)
• Ex-employee of Airport Transportation Company Arrested for Allegedly Hacking Into Computer, Destroying Data (February 20, 2003)
• Ohio Man Attacked NASA Computer System Shutting Down Email Server (February 13, 2003)
• Former Employee of Viewsonic Arrested on Charges of Hacking into Company’s Computer, Destroying Data (February 6, 2003)
• Pittsburgh, Pennsylvania Man Convicted of Hacking a Judge’s Personal E-Mail Account (January 23, 2003)

Year 2002

• St. Joseph, Missouri Man Charged in Western District’s First Computer Hacking Indictment (December 20, 2002)
• U.S. Arrests Queens, New York, Man on Computer Fraud Charges (December 20, 2002)
• Disgruntled UBS PaineWebber Employee Charged with Allegedly Unleashing “Logic Bomb” on Company Computers (December 17, 2002)
• Hacker Pleaded Guilty to Attacks on San Diego Auto Site (November 15, 2002)
• British National Charged with Hacking Into N.J. Naval Weapons Station Computers, Disabling Network After Sept. 11; Indictment Also Filed in Virginia for Other Military Intrusions (November 12, 2002)
• London, England Hacker Indicted under Computer Fraud and Abuse for Accessing Military Computers (November 12, 2002)
• Russian Computer Hacker Sentenced to Three Years in Prison (October 4, 2002)
• San Gabriel Valley, California Man Pleads to Illegally Accessing Former Employer’s Computers (September 9, 2002)
• San Fernando Valley Residents Indicted in Scheme to Hack Into Software Firm Computer and Delete $2.6 Million Project (August 2, 2002)
• Two Kazakhstan Citizens Accused of Breaking Into Bloomberg L.P.’s Computer and Extortion are Extradited (May 21, 2002)
• Twenty Seven Month Sentence in Internet Fraud Scheme to Defraud Priceline.Com and Others; Unauthorized Computer Access Conspiracy May 17, 2002)
• Former Chief Technology Intrusions; Transmitting Threats Via the Internet (May 16, 2002)
• Green Bay, Wisconsin Man Charged with Computer Intrusion, Software Piracy and Numerous Destructive Acts (May 7, 2002)
• Creator of Melissa Computer Virus Sentenced to 20 Months in Federal Prison (May 1, 2002)
• U.S. Charges Engineer with Computer Intrusion, Destruction of Database at Manhattan Apparel Company (April 26, 2002)
• Man Pleads Guilty to Unauthorized Access of Las Vegas Medical Imaging Computer System (April 17, 2002)
• Computer Operator Sentenced for Breaking Into Ex-Employer’s Database (March 27, 2002)
• Parma, Ohio Man Indicted for Unauthorized Access into Computer System of Alltel Communications, Inc.; Threatening E-Mails (March 26, 2002)
• Former Computer Network Administrator at New Jersey High-Tech Firm Sentenced for Unleashing $10 Million Computer “Time Bomb” (February 26, 2002)
• Former Chase Financial Corp. Employees Sentenced for Scheme to Defraud Chase Manhattan Bank and Chase Financial Corporation (February 19, 2002)
• Orange County Computer Hacker Sentenced to Prison for Breaking into University Computers, NASA Systems (February 4, 2002)
• Manhattan Paralegal Sentenced for Theft of Litigation Trial Plan (January 30, 2002)
• San Francisco Man Pleads Guilty to Unauthorized Access of Catholic Healthcare West Computer Causing Damage (January 18, 2002)

Historical cases

Notable cases and decisions referring to the Act

• United States v. Riggs, the famous case against people associated with Phrack magazine for taking the E911 document, as described in Bruce Sterling‘s “Hacker Crackdown of 1990″. The government dropped the case after it was revealed that the document was for sale from AT&T for $13. The E911 document was related to the founding of the Electronic Frontier Foundation.^[1]

• United States v. Morris, 928 F.2d 504, decided March 7, 1991. After the release of the Morris worm, an early computer worm, its creator was convicted under the Act for causing damage and gaining unauthorized access to federal interest computers. This case in part led to the 1996 amendment of the act, which clarified the language that was argued during the case.^[2]

• Theofel v. Farey Jones, 2003 U.S. App. Lexis 17963, decided August 28, 2003 (U.S. Court of Appeals for the Ninth Circuit). Using a civil subpoena which is “patently unlawful”, “bad faith” and “at least gross negligence” to gain access to stored email is a breach of this act and the Stored Communications Act.^[3]

• International Airports v Jacob Citrin, 2006, 18 U.S.C. § 1030(a)(5)(A)(i). Citrin deleted files off his company computer before he quit, in order to hide his alleged bad behavior while an employee. ^[4]

• LVRC Holdings v. Brekka, 2009 1030(a)(2), 1030(a)(4). LVRC sued Brekka for allegedly taking information about clients and using it to start his own competing business. ^[5][6]

• Robbins v. Lower Merion School District (U.S. Eastern District of Pennsylvania), where plaintiffs charged two suburban Philadelphia high schools secretly spied on students by surreptitiously and remotely activating webcams embedded in school-issued laptops the students were using at home, violating the Act. The schools admitted to secretly snapping over 66,000 webshots and screenshots, including webcam shots of students in their bedrooms.^[7][8]

• United States v. Lori Drew, 2008. The ‘cyberbullying’ case involving the suicide of a girl harassed on myspace. Charges were under 18 USC 1030(a)(2)(c) and (b)(2)(c). Judge Wu decided that using 18 U.S.C. § 1030(a)(2)(C) against someone violating a ‘terms of service’ agreement would make the law overly broad. 259 F.R.D. 449 ^[9][10]

• People v. SCEA, 2010. Class action lawsuit against SCEA for removing OtherOS, the ability to install and run Linux (or other operating systems) on the PlayStation 3. Consumers were given the option to either keep OtherOS support or not. SCEA was allegedly in violation of this Act because if the consumers updated or not, they would still lose system functionality.^[11]

• Sony Computer Entertainment America v. George Hotz and Hotz v. SCEA, 2011. SCEA sued ‘Geohot’ and others for jailbreaking the PlayStation 3 system. The lawsuit alleged, among other things, that Hotz violated 18 U.S.C. § 1030(a)(2)(c) ([by] taking info from any protected computer). Hotz denied liability and contested the Court’s exercise of personal jurisdiction over him. ^[12] The parties settled out of court.

• United States v. Nosal, 2011. Nosal and others allegedly accessed a protected computer to take a database of contacts from his previous employer for use in his own business, violating 1030(a)(4)^[13][14]

• United States v. Drake, 2010. Drake was part of a whistle-blowing effort inside the NSA to expose waste, fraud, and abuse with the Trailblazer Project. He talked to a reporter about the project. He was originally charged with five Espionage Act counts for doing this. These charges were dropped just before his trial was to begin, and instead he pleaded guilty to one misdemeanor count of violating the CFAA, (a)(2), unauthorized access. One of his advisors, Jesselyn Radack of the Government Accountability Project, called his work an “act of civil disobedience“.^[15]

• United States v. Bradley Manning, 2010-. Bradley Manning was a soldier who allegedly disclosed tens of thousands of documents to those ‘not entitled to receive’ them. Among the 34 counts against him, there are several under (a)(1) and (a)(2) of the CFAA, some specifically linked to files like the Reykjavic 13 State Department cable and a video of the July 12, 2007 Baghdad airstrike. ^[16]

• Grand Jury investigation in Cambridge, 2011. Unknown persons in Cambridge, Massachusetts, were ordered to attend Grand Jury hearings regarding charges under the CFAA, as well as the Espionage Act. Journalist Glenn Greenwald has written these were likely related to Wikileaks. ^[17]

• United States v. Aaron Swartz, 2011. Aaron Swartz allegedly entered an MIT wiring closet and set up a laptop to mass-download articles from JSTOR, which he later used in an academic study. He allegedly avoided various attempts by JSTOR and MIT to stop this, such as MAC address spoofing. The CFAA statutes against him were (a)(2), (a)(4), (c)(2)(B)(iii), (a)(5)(B), and (c)(4)(A)(i)(I),(VI). ^[18]

• United States v. Peter Alfred-Adekeye 2011. Adekeye allegedly violated (a)(2), when he allegedly downloaded CISCO iOS, allegedly something that the CISCO employee who gave him an access password did not permit. Adekeye was CEO of Multiven and had accused CISCO of anti-competitive practices.^[19]

• Pulte Homes v. Laborer’s International Union of North America et al. 2011. Pelte company fired a LIUNA employee, resulting in a labor dispute with LIUNA. LIUNA told its members to email and phone the company and tell it how they felt. This resulted in a CFAA charge because the company’s email system got overloaded. ^[20]

• United States v Sergey Aleynikov, 2011. Aleynikov was a programmer at Goldman Sachs accused of copying code, like high-frequency trading code, allegedly in violation of 1030(a)(2)(c) and 1030(c)(2)(B)i-iii and 2. This charge was later dropped, and he was instead charged with theft of trade secrets and transporting stolen property.^[21][22]

• United States v Nada Nadim Prouty, circa 2010. ^[23] Prouty was an FBI and CIA agent who was prosecuted for having a fraudulent marriage to get US residency. She claims she was persecuted by a US attorney who was trying to gain media coverage by calling her a terrorist agent and get himself promoted to a federal judgeship. ^[24]

[edit] See also

• Defense Secrets Act of 1911 / Espionage Act of 1917 / McCarran Internal Security Act 1950
• California Comprehensive Computer Data Access and Fraud Act
• Electronic Communications Privacy Act
• LVRC Holdings v. Brekka
• In re DoubleClick
• MBTA v. Anderson

• Information technology audit
• Computer security audit
• Computer fraud case studies
• The Hacker Crackdown (mentions the law, & the eponymous Chicago task force)
• Protected Computer
• Wikileaks