Hacker found guilty in massive data theft case

A Florida man was found guilty of stealing data from customer information management company Acxiom Corp. Friday. The prosecution estimates that Scott Levine and his defunct bulk e-mail marketing firm Snipermail.com Inc. stole more than 1.6 billion customer records by hacking into an Acxiom server.

A jury in Little Rock, Arkansas, convicted Levine, of Boca Raton, on 120 counts of unauthorized access of a protected computer, two counts of access device fraud and one count of obstruction of justice. The jury cleared him of 13 counts of unauthorized access of a protected computer, one count of conspiracy and one count of money laundering.

"Those who steal private information can expect to be aggressively investigated and brought to justice," Deputy Assistant Attorney General Laura Parsky, said in a Friday statement from the U.S. Department of Justice (DOJ).

The criminal investigation was jointly conducted by the U.S. Federal Bureau of Investigation and the U.S. Secret Service, Criminal Investigation Division. Levine was charged on July 21, 2004 with breaking into an Acxiom computer database to steal personal data. Levine and other Snipermail staff downloaded around 8.2 gigabytes of personal data from the Acxiom server between April 2002 and August 2003, according to the DOJ.

Levine's case went to trial on July 11, 2005, and the jury started its deliberations on Aug. 10. Sentencing by U.S. District Court Judge William Wilson is set for Jan. 9, 2006. The maximum sentences for Levine's convictions would total 640 years in prison and/or fines of US$30.75 million. Each count of which he's been convicted has a maximum associated fine of $250,000, while maximum prison time for each of the offenses range between five and 20 years.

Several former Snipermail employees testified against Levine that they and he had conspired to cover up physical evidence relating to the break-ins and data theft.

"This case sends a clear message that cybercrime will not be tolerated, and Acxiom is satisfied and pleased by the verdict," Acxiom said in a statement released Friday. "We believe this case sets an example and will deter others who may be attempting, or even contemplating, attacks on data security."

Since the security breaches were first uncovered and stopped in the summer of 2003, Acxiom has committed to better protecting its systems and the data those systems contain, according to the company.

"We have improved our intrusion detection, vulnerability scanning and encryption systems, enhanced our internal and external audit practices, and are fully committed to working with our clients and outside experts to ensure continuous improvement in our security environment," Acxiom said in the statement. "There is no evidence that any individuals are at risk of harm due to the breaches. It is also important to note that only one external server was accessed, and there was no intrusion of Acxiom’s internal security firewalls or internal databases."

Investigators from the Sheriff's Office in Hamilton County, Ohio, stumbled across Levine's database hacking while engaged in an unrelated investigation that Ohio resident Daniel Baas had illegally accessed and downloaded data from an Acxiom server. Baas later pled guilty to federal charges in Ohio on Dec. 2, 2003.