On Friday, a complaint filed by the Manhattan District Attorney’s office charged a seventeen-year-old boy with several offences. The complaint alleges that between December 2006 and April 2007, Mike Nevins committed computer trespass, computer tampering, and criminal possession of computer material.
The DA said that the teen broke into AOL and infected their systems with malicious programming designed to transfer information back to his computer. AOL is remaining silent as to whether customer information was compromised. So far, there is little evidence of information loss, but the investigations are apparently still ongoing.
The charges, according to the filed complaint, are somewhat typical of this type of claim. The first part stems from the actual accessing of systems, which include customer-billing records. These records housed credit card information, names, and address of existing AOL customers. Secondly, the infection of computers at an AOL call center in India. The infection was a program that relayed information back to Nevins computer in New York. Furthermore, the brief mentions the attacker logging into forty-nine separate AIM messenger accounts without permission, each of these accounts belonged to contractors or full time employees of AOL.
The last listed offence related to Phishing attacks. Nevins apparently netted himself access to more than sixty AOL employee accounts. With all the hype from AOL about security and fraud protection, their staff should have caught on sooner. To be fair the court records do not mention how the Phishing attack was pulled off, and depending on the type of internal policy, it is hard to ignore a letter from your boss asking for information if that was the case.
Nevins is facing four felony charges and one misdemeanor charge. He was arraigned on Monday last week, and will have another court appearance this Friday. According to an AOL spokesperson, the cost of the damage is estimated to be around half-a-million dollars. A statement to the AP from the DA’s office said, “It's too early to tell exactly what information he compromised or not.” (Information referring to the possible loss of customer information on the breached systems)
Now for the twist, Nevins admitted his part in the crime. In a statement sent with the court filing he said, “I accessed their internal accounts and their network and used it to try to get my accounts back.” He is also listed as admitting to posting details of his crimes and photographic proof to several websites.
Some experts say that his admission is proof that he was not out the steal personal information. Many online wonder why he bothered to get his AOL account back after it was apparent he already had online access. His attacks all originated form his home according to the court papers. Security and law experts alike will watch the case and the fallout because of the potential for another TJX like scenario. If there is proven data loss, then Nevins will face larger charges, and AOL will need to take quick action to resolve the issue.
The New York Post reported last week that Nevins mother spoke to the paper saying that her son was a special education student and has behavioral problems. Another source on the Post’s story also said the Nevins has given AOL problems for years. Neither of these points matter in the bigger picture of the trial and reported crime. There are also rumors that Nevins is related to an “AIM hacking group” which snitched him out to police thus leading to his arrest.
The next court date is Friday, May 4, 2007. That date is preliminary hearings; there is no set court date for trial.
USA
Your Talkback on this Story