British hacker accused of stealing data from Federal Reserve computers

28 Feb, 2014 17:46 / Updated 11 years ago

The United States Department of Justice this week unsealed its third indictment in four months against Lauri Love, a United Kingdom resident now accused of hacking into a computer system used by the US Federal Reserve.

On Thursday, federal prosecutors in New York announced that an indictment filed against the 20-something Stradishall, Suffolk man nearly a week earlier had been unsealed, publicizing a new pair of charges against Love: one count each of computer hacking and aggravated identity theft.

“As alleged, Lauri Love is a sophisticated hacker who broke into Federal Reserve computers, stole sensitive personal information and made it widely available, leaving people vulnerable to malicious use of that information,” US Attorney for the Southern District of New York Preet Bharara said in a statement released by the Justice Dept. on Thursday.

“We place a high priority on the investigation and prosecution of hackers who intrude into our infrastructure and threaten the personal security of our citizens,” added Bharara, who since 2012 has been overseeing the prosecution of Hector Monsegur, a former New York City hacker currently awaiting sentencing for a laundry list of criminal offenses he helped carry out as a member of the hacktivist group Anonymous and an offshoot, LulzSec, before agreeing to act as a federal informant.

Love has yet to be charged in the UK, and authorities there could neither confirm nor deny to the BBC this week if an extradition to America is being sought. Should he be sent stateside, however, Love will likely have to defend himself against allegations that he hacked more than just the US central bank. As RT reported previously, indictments were unsealed against Love last October in New Jersey and Virginia which together accused him of compromising the computer systems of the US Army, the Pentagon’s Missile Defense Agency, NASA, the Department of Health and Human Services, the US Sentencing Commission, the Regional Computer Forensics Laboratory and the US Department of Energy.

Collectively, the hacks described herein substantially impaired the functioning of dozens of computer servers and resulted in millions of dollars of damages to the government victims,” prosecutors said then.

Now according to the indictment unsealed in New York this week, Love is believed by investigators to have also hacked into a Federal Reserve computer system starting in late 2012 “in order to steal and then publicly disseminate confidential information,” including the personal identification information of people authorized to use that network.

Prosecutors say that starting in Oct. 2012, Love used a hacking method known as a SQL injection to gain unauthorized access to certain Fed servers. Once inside, they allege, he pilfered confidential information hosted there including the names, email addresses and phone number of credentialed system users.

In early February 2013, the indictment claims, Love posted that data “on a particular website, unrelated to the Federal Reserve, which previously had been hacked and which he controlled.”

Although the name of that website is absent from the public indictment, it is likely the online portal of the Alabama Criminal Justice Information Center. At around the time same the indictment alleges Love posted personal identification information on an “unrelated” website, RT reported that personal info pertaining to thousands of banking executives had been obtained by a faction of Anonymous known as OpLastResort — a group that first appeared online that January just days after computer prodigy Aaron Swartz committed suicide while waiting to stand trial to face hacking charges of his own.

In the first weeks after Mr. Swartz’s passing, the OpLastResort Twitter account posted messages such as “This tragedy is basis for reform of computer crime laws, and the overzealous prosecutors,” and “The situation Aaron found himself in highlights the injustice of US computer crime laws.” Then on Feb. 4, the account linked to the Alabama Criminal Justice Information Center website and claimed, “Yes, we posted over 4000 US bank executive credentials.”

Now we have your attention America: Anonymous's Superbowl Commercial 4k banker d0x via the FED http://t.co/ABcGMj44#opLastResort#Anonymous

— OpLastResort (@OpLastResort) February 4, 2013

Yes we posted over 4000 U.S. bank executive credentials http://t.co/kDmgH8dN

— OpLastResort (@OpLastResort) February 4, 2013

The Federal Bureau of Investigation launched an investigation into the hack that same week, but at least one bank officials who saw their personal data compromised by the breach said nothing of significance was disclosed by the Anonymous offshoot.

"The information that was on the contact system was the same thing that was on my business card, so it wasn't like it was anything that could do any harm to me or the bank." Illinois' Community First Bank President and CEO Jo David Cummins told Reuters at the time.

That same week, a spokesperson for the St. Louis Fed said, “Despite claims to the contrary, passwords were not compromised, but nonetheless, have been reset as a precautionary measure.”

George Venizelos, the assistant director-in-charge of the FBI’s New York office, said in a statement his week that “The FBI is committed to working with private and public entities to stop computer intrusions and prevent hackers from harming victim companies and individuals.”

Love was arrested last October in England after prosecutors in New Jersey and Virginia unsealed the first two indictments, but according to British media he was released on bail through February. Regardless of whether or not he’ll be sent to America, however, he could at any moment end up in a new type of trouble across the pond: FreeAnons, a website established to raise awareness and legal funding for alleged Anonymous hacktivists, wrote this week that while Love was not charged in the UK, he was ordered to hand over his personal encryption keys to the local government under Britain’s Regulation of Investigatory Powers Act 2000 by Feb. 7 or face repercussions, including possible jail time.

“FreeAnons is urging any journalists or civil rights activists, especially in Britain, to take a keen interest in this case,” the website wrote. “The harsh legal tactics already being used against Love and the way the media has been used to conduct a pre-trial smear campaign against him need to be spotlighted. In the usage of RIPA to attempt to coerce Lauri, we are seeing yet another hint of further things to come. Overly broad legal definitions and laws are wielded against citizens to erode their rights more every day. We also urge everyone to remember that in our system of justice defendants are innocent until proven guilty, no matter how many DoJ press releases and statements may try to prejudice opinions against the accused”

Karen Todner, Love’s UK lawyer, told the Associated Press this week that she is “vehemently opposed” to any extradition request from the US.

“If Mr. Love faces local charges, US prosecutors likely wouldn't seek extradition until that case is resolved,” the BBC reported this week.

"The UK has a justice system that is admired throughout the world, and it is up to our system to try him, not the American system," Todner told the BBC.

Love faces a maximum of 12 years in prison if extradited to the US and found guilty of the two counts included in the latest indictment, not including the charges found in the earlier two indictments. Prosecutors in New York, New Jersey and Virginia have all accused Love, like Swartz, of violating the Computer Fraud and Abuse Act — the same hacking law that OpLastResort rallied to reform last year.