Bulk mailer faces criminal charges

Reputed spammer slapped with 144 federal criminal counts in major data theft from consumer data company.

Declan McCullagh
Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
3 min read
A bulk e-mailer in Florida has been charged with electronically breaking into a massive data warehouse and stealing gigabytes of personal information on Americans, federal prosecutors said Wednesday.

Scott Levine, 45, of Boca Raton was indicted by a federal grand jury in Arkansas for allegedly breaking into Acxiom's servers and downloading 8.2 gigabytes of data in what the U.S. Justice Department called one of "the largest cases of intrusion of personal data to date." Acxiom, based in Little Rock, Ark., operates the world's largest repository of consumer data and counts as customers major banks, credit card companies, insurers and the U.S. government.

A 31-page indictment released Wednesday says that Levine, who ran Snipermail.com, and one or more conspirators accessed an Acxiom server used for file transfers and downloaded an encrypted password file called ftpsam.txt in early 2003. Then they ran an unnamed cracking utility on the ftpsam.txt file, were able to discover 40 percent of the passwords, and used those accounts to download even more sensitive information, the indictment says.

Levine and his cohorts allegedly incorporated "the stolen data into the Snipermail system" and resold it to clients, including a marketer working on behalf of a firm "engaged in the manufacture, sale and promotion of a brand-name pharmaceutical." It's unclear from the indictment how much of the alleged theft included e-mail addresses versus physical mailing addresses, and the Justice Department did not immediately respond to queries.

Levine could not be reached through e-mail or on the phone Wednesday. While the Snipermail.com site is now offline, a company Web page stored by Archive.org in early 2003 touts Snipermail.com's "opt-in" mailing lists and stresses that "subscribers to that list have stated that they want to receive promotional messages."

Snipermail.com has drawn fire from antispam advocates in the past for falsely claiming to operate only "opt-in" lists. The company's domain name shows up on the Register of Known Spam Operations compiled by the Spamhaus Project, and 63 sightings of spam from Snipermail.com appear on Usenet's abuse-sightings discussion group.

Acxiom did not reply to questions about how many Americans were affected by the alleged disclosure. The company provided a statement saying that since 2003, "We've improved our intrusion detection, vulnerability scanning and encryption systems, enhanced our internal and external audit practices, and are fully committed to working with our clients and outside experts to ensure continuous improvement in our security environment...There is no indication that any individuals are at risk of harm due to the breaches."

Levine has been charged with 144 counts related to computer crime, with each file transfer listed as a separate violation of the law. The charges include conspiracy, unauthorized access of a protected computer, access device fraud (because of alleged password misuse), money laundering and obstruction of justice for allegedly trying to conceal evidence and erase hard drives.

This is not the first prosecution to arise out of poor security practices on Acxiom's file transfer protocol (FTP) server. Last year, an Ohio man named Daniel Baas pleaded guilty to illegally entering Acxiom's FTP site. That investigation led federal police--including the FBI and Secret Service--to Levine, according to the Justice Department.