Bulk mailer faces criminal charges

23/07/2004 Written by Declan McCullagh

A bulk e-​mailer in Florida has been charged with elec­tron­i­cally break­ing into a mas­sive data ware­house and steal­ing giga­bytes of per­sonal infor­ma­tion on Amer­i­cans, fed­eral pros­e­cu­tors said Wednesday.

Scott Levine, 45, of Boca Raton was indicted by a fed­eral grand jury in Arkansas for allegedly break­ing into Acxiom’s servers and down­load­ing 8.2 giga­bytes of data in what the U.S. Jus­tice Depart­ment called one of “the largest cases of intru­sion of per­sonal data to date.” Acx­iom, based in Lit­tle Rock, Ark., oper­ates the world’s largest repos­i­tory of con­sumer data and counts as cus­tomers major banks, credit card com­pa­nies, insur­ers and the U.S. government.

A 31-​page indict­ment released Wednes­day says that Levine, who ran Sniper​mail​.com, and one or more con­spir­a­tors accessed an Acx­iom server used for file trans­fers and down­loaded an encrypted pass­word file called ftpsam.txt in early 2003. Then they ran an unnamed crack­ing util­ity on the ftpsam.txt file, were able to dis­cover 40 per­cent of the pass­words, and used those accounts to down­load even more sen­si­tive infor­ma­tion, the indict­ment says.

Levine and his cohorts allegedly incor­po­rated “the stolen data into the Sniper­mail sys­tem” and resold it to clients, includ­ing a mar­keter work­ing on behalf of a firm “engaged in the man­u­fac­ture, sale and pro­mo­tion of a brand-​name phar­ma­ceu­ti­cal.” It’s unclear from the indict­ment how much of the alleged theft included e-​mail addresses ver­sus phys­i­cal mail­ing addresses, and the Jus­tice Depart­ment did not imme­di­ately respond to queries.

Levine could not be reached through e-​mail or on the phone Wednes­day. While the Sniper​mail​.com site is now offline, a com­pany Web page stored by Archive​.org in early 2003 touts Snipermail.com’s “opt-​in” mail­ing lists and stresses that “sub­scribers to that list have stated that they want to receive pro­mo­tional mes­sages.”

Sniper​mail​.com has drawn fire from anti­spam advo­cates in the past for falsely claim­ing to oper­ate only “opt-​in” lists. The company’s domain name shows up on the Reg­is­ter of Known Spam Oper­a­tions com­piled by the Spamhaus Project, and 63 sight­ings of spam from Sniper​mail​.com appear on Usenet’s abuse-​sightings dis­cus­sion group.

Acx­iom did not reply to ques­tions about how many Amer­i­cans were affected by the alleged dis­clo­sure. The com­pany pro­vided a state­ment say­ing that since 2003, “We’ve improved our intru­sion detec­tion, vul­ner­a­bil­ity scan­ning and encryp­tion sys­tems, enhanced our inter­nal and exter­nal audit prac­tices, and are fully com­mit­ted to work­ing with our clients and out­side experts to ensure con­tin­u­ous improve­ment in our secu­rity environment…There is no indi­ca­tion that any indi­vid­u­als are at risk of harm due to the breaches.”

Levine has been charged with 144 counts related to com­puter crime, with each file trans­fer listed as a sep­a­rate vio­la­tion of the law. The charges include con­spir­acy, unau­tho­rized access of a pro­tected com­puter, access device fraud (because of alleged pass­word mis­use), money laun­der­ing and obstruc­tion of jus­tice for allegedly try­ing to con­ceal evi­dence and erase hard dri­ves.

This is not the first pros­e­cu­tion to arise out of poor secu­rity prac­tices on Acxiom’s file trans­fer pro­to­col (FTP) server. Last year, an Ohio man named Daniel Baas pleaded guilty to ille­gally enter­ing Acxiom’s FTP site. That inves­ti­ga­tion led fed­eral police – includ­ing the FBI and Secret Ser­vice – to Levine, accord­ing to the Jus­tice Department.