A New York teenager broke into AOL's networks and infected its customer databases with a malicious program to steal confidential data, AOL and the Manhattan District Attorney's Office allege.
In a criminal complaint, the DA's office alleges that, between 24 December, 2006 and 7 April, 2007, 17-year old Mike Nieves committed offences like computer tampering, computer trespass and criminal possession of computer material.
Among his alleged exploits:
- Accessing systems containing customer billing records, addresses and credit card information
- Infecting machines at an AOL customer support call centre in New Delhi, India, with a program to funnel information back to his PC
- Logging in without permission into 49 AIM instant message accounts of AOL customer support employees
- Attempting to break into an AOL customer support system containing sensitive customer information
- Engaging in a phishing attack against AOL staffers, through which he gained access to over 60 accounts from AOL employees and subcontractors
The alleged acts cost AOL over $500,000. It's not clear whether customer data was stolen. AOL declined to comment. The DA's office spokesman said the investigation into Nieves' alleged acts continues. "It's too early to tell exactly what [data] he compromised or not," he said.
The complaint states that Nieves admitted to investigators that he committed the alleged acts because AOL took away his accounts. "I accessed their internal accounts and their network and used it to try to get my accounts back," the defendant is quoted as saying in the complaint. He also admitted to posting photos of his exploits on a website, according to the complaint.
One doesn't have to be a computer genius to carry out the alleged acts, thanks to the free availability of multiple hacking tools, said Mark Rasch, managing director of technology at FTI Consulting. "Even a disgruntled kid working alone can throw a virtual tantrum and cause a significant amount of damage to a large technology corporation," Rasch said. "Welcome to the new world."
If the defendant was honest about his motivation in his reported confession, it's safe to assume that he wasn't interested in stealing data for financial gain, Rasch said. Still, it'll be interesting to find out what steps AOL is taking if customer data was in fact compromised, he said.
There aren't enough facts available to judge whether AOL could have done more to prevent the alleged intrusion. "We'll learn more as the case goes on," he said. "AOL has had pretty good security over the years."
Authorities arrested Nieves after AOL provided them with information from an internal investigation into the alleged acts. AIM subscriber information and IP address data involved in the acts led AOL to Nieves, whose address and phone number AOL had on file, according to the complaint.
The New York Post reported that Nieves lives in Staten Island and quoted his mother as saying that he is a special education student with behavioural problems. An anonymous source told the Post that Nieves has caused AOL problems for years.
A source close to the investigation said that Nieves was allegedly part of a "loosely coupled" group of hackers who have targeted AOL and other companies in recent years, but that Nieves focused specifically on hacking into AOL.