To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://management.silicon.com/government/0,39024677,39156703,00.htm

Data thief gets eight years in the clink
Ex-Snipermail CEO convicted of 'one of the largest data heists to date'...

By Declan McCullagh

Published: Thursday 23 February 2006

A bulk emailer who looted more than a billion records containing personal information from a data warehouse has been sentenced to eight years in prison, federal prosecutors said on Wednesday.

Scott Levine, 46, was sentenced by a federal judge in Little Rock, Arkansas, after being found guilty of breaking into Acxiom's servers and downloading gigabytes of data in what the US Justice Department describes as one of the largest data heists to date. Acxiom says it operates the world's largest repository of consumer data, and counts major banks, credit card companies and the US government among its customers.

In August 2005, a jury convicted Levine, a former chief executive of a bulk email company called Snipermail.com, of 120 counts of unauthorised access to a computer connected to the internet. According to the US government, however, there is no evidence Levine used the data for identity fraud.

Prosecutors had asked for a longer sentence but expressed satisfaction with an eight-year prison stay. US attorney Bud Cummins of the Eastern District of Arkansas said: "This sentence reflects the seriousness of these crimes." It also includes a $12,300 fine; restitution has not yet been determined.

According to court documents, Levine and others broke into an Acxiom server used for file transfers and downloaded an encrypted password file called ftpsam.txt in early 2003. Then they ran a cracking utility on the ftpsam.txt file, prosecutors said, discovered 40 per cent of the passwords, and used those accounts to download even more sensitive information.

When it was in operation, Snipermail.com drew fire from anti-spam advocates for falsely claiming to operate only "opt-in" lists. The company's now-defunct domain shows up on the Register of Known Spam Operations compiled by the Spamhaus Project, and dozens of sightings of spam from Snipermail.com appear on Usenet's news.admin.net-abuse.sightings discussion group.

Acxiom has said that after the 2003 intrusion, it improved its intrusion detection, vulnerability scanning and encryption systems.

This is not the first prosecution to arise out of poor security practices on Acxiom's file transfer protocol server (FTP). An Ohio man named Daniel Baas previously pleaded guilty to illegally entering Acxiom's FTP site. That investigation led federal police - including the FBI and Secret Service - to Levine, according to the Justice Department.

Declan McCullagh writes for CNET News.com