Alleged UK Hacker Charged a 3rd TimeIndictment Focuses on Attacks on HHS, Other U.S. Agencies
An alleged hacker based in the United Kingdom has been indicted for a third time. The latest charges allege he infiltrated computers at several U.S. government agencies, including the Department of Health and Human Services.
The new indictment, unsealed by the U.S. Attorney's Office for the Eastern District of Virginia on July 24, charges Lauri Love with conspiracy, causing damage to a protected computer, access device fraud and aggravated identity theft.
The latest indictment accuses Love of accessing protected computers at HHS, the Department of Energy, the U.S. Sentencing Commission and the FBI's Regional Computer Forensics Laboratory, plus government contractors Deltek Inc. and Forte Interactive.
The alleged U.K. hacker, along with several conspirators, gained access to the computers by exploiting a vulnerability in Adobe ColdFusion, a software program designed to build and administer websites and databases, authorities say. The vulnerability allowed Love and his conspirators to allegedly access protected areas of the victims' computer servers without proper login credentials, according to prosecutors.
Once the alleged hackers had access to the servers, they obtained administrator-level access to the networks, which allowed them to upload and download files, as well as create, edit, remove and search for data, authorities say.
Love allegedly obtained massive amounts of sensitive and confidential information stored on those computers, including more than 100,000 employee records with names, Social Security numbers, addresses, phone numbers and salary information, along with more than 100,000 financial records, including credit card numbers and names. Love's alleged actions caused total losses in excess of $5 million, authorities say.
If convicted on the latest charges, Love faces a maximum penalty of 10 years in prison. He also faces a mandatory additional two years in prison if convicted of aggravated identity theft.
The earlier New York indictment alleges that between October 2012 through February 2013, Love worked with other computer hackers around the world to secretly gain access to Federal Reserve's servers to steal and then publicly disseminate confidential information found on those servers.
In that indictment, Love was charged with one count of computer hacking, which carries a maximum term of 10 years in prison, and one count of aggravated identity theft, which carries an additional sentence of two years in prison.
Earlier, Love was also charged in New Jersey with hacking into thousands of U.S. government computers to steal massive amounts of confidential information. U.S. government computers he allegedly accessed, according to that indictment, were at the Army, Missile Defense Agency, Environmental Protection Agency and NASA. He faces a maximum potential penalty of five years in prison and a $250,000 fine, or twice the gross gain or loss from the offense, on each of the two counts.