JAMES B. COMEY, United States Attorney for the Southern District of New York, and PASQUALE D’AMURO, the Assistant Director in Charge of the New York Office of the Federal Bureau of Investigation, announced that ADRIAN LAMO was charged in Manhattan federal court with hacking into the internal computer network of the New York Times. LAMO surrendered today to federal authorities in Sacramento, California.
According to a two-count criminal Complaint unsealed today in Manhattan federal court, on February 26, 2002, LAMO hacked into the New York Times’ internal computer network and accessed a database containing personal information (including home telephone numbers and Social Security numbers) for over 3,000 contributors to the New York Times’ Op-Ed page.
As described in the Complaint, soon after being notified of the computer intrusion, the New York Times conducted an internal investigation and confirmed that an intruder had in fact hacked into its network and accessed the personal information for contributors to the Op-Ed page. In addition, according to the Complaint, the Times determined that the intruder had added an entry to that database for “Adrian Lamo,” listing personal information including LAMO’s cellular telephone number (415) 505-HACK, and a description of his areas of expertise as “computer hacking, national security, communications intelligence.”
The Complaint states that the New York Times later learned that while inside its internal network, LAMO had set up five fictitious user identification names and passwords (“userids/passwords”) under the New York Times’ account with LexisNexis, an online subscription service that provides legal, news and other information for a fee. The Complaint charges that over a three month period, those five fictitious userids/passwords conducted more than 3,000 searches on LexisNexis; in the month of February 2002, the five userids/passwords conducted approximately 18% of all searches performed under the New York Times account.
According to the Complaint, the unauthorized LexisNexis searches included searches for “Adrian Lamo”; searches for other individuals with the last name “Lamo”; searches using the Northern California home address of LAMO’s parents; searches for various reputed hackers; and searches for various known associates of LAMO. The LexisNexis charges incurred by these five accounts was approximately $300,000, according to the Complaint.
In an interview with a reporter from an online publication called “SecurityFocus.Com” later on February 26, 2002, LAMO admitted that he was responsible for the New York Times intrusion, it was charged.
The Complaint also identifies a series of other computer intrusions for which LAMO has acknowledged responsibility in interviews with members of the press. In some instances, according to the Complaint, LAMO personally admitted responsibility for the computer intrusion to representatives of the victimized company, explaining how he hacked their computer network, and providing corroboration that he was, in fact, the intruder. The other intrusions, and the approximate dates according to the charges, are: (1) Excite@Home, May 2001; (2) Yahoo!, September 2001; (3) Microsoft, October 2001; (4) MCI WorldCom, November 2001; (5) SBC Ameritech, December 2001; and (6) Cingular, May 2003.
LAMO, 22, is scheduled to be presented before a United States Magistrate Judge in Sacramento, California, federal court later today.
If convicted, LAMO faces a maximum sentence of 15 years in prison and a $500,000 fine.
Mr. COMEY praised the investigative efforts of the Federal Bureau of Investigation’s Cybercrime Task Force and Computer Hacking and Intellectual Property Squad, and also thanked the New York Times, LexisNexis, Yahoo!, Microsoft, MCI WorldCom, SBC Ameritech, and Cingular for their assistance.
Assistant United States Attorney MARK F. MENDELSOHN is in charge of the prosecution.
The charges contained in the Complaint are merely accusations and the defendant is presumed innocent unless and until proven guilty.