Write Some Malware, Go to Jail?
Albert Gonzalez, the mastermind behind the TJX, Heartland and Hannaford Bros. breaches, recently admitted that he was also the perpetrator behind the 2007 breach of Target Stores. While it was a small breach in comparison to his other accomplishments, prosecutors deemed it worthy of adding another two years to the minimum sentence they are requesting.
The Reuters report on the case indicates Gonzalez will now serve 17 to 25 years for his crimes. What I found more interesting than the developments in Gonzalez' case was the mention that one of his co-conspirators, Steven Watt, who was convicted of developing the software Gonzalez used, has been sentenced to two years in prison for his contributions to Gonzalez crime spree. He also gets to spend an extra three years having all of his computer and Internet activities "monitored."
The reason I think this is significant is that I believe it is the first time the courts have sentenced a perpetrator to prison time for developing the technology that empowers the execution of a breach. Typically, prosecutors and judges have focused on perpetrators that use malware and deception to steal, while not indicting or really punishing the "technical minds" behind major breaches.
There have been an number of reasons for this. Typically, the developers of the worms, trojans, and bogus web sites set up to perpetrate cybercrime have done so: A-Just to prove they can with no proof they had actually used them to steal OR B-Have done so well outside of the reach of legal authorties with desire or standing to prosecute.
The Massachusetts prosecutors are to be commended for seeking meaningful punishment for both the creator and perpetrator in this case. We can only hope that other potential developers of malware will see the writing on the wall and recognize that there may be a penalty to be paid in developing malware even for "fun".
If any of you know other cases in which the developer of malware used in a large breach was sentenced to meaningful prison time, please do comment below.