Three defendants have been charged with what’s being called one of the largest reported data breaches in US history, the Department of Justice recently announced (opens in new tab).
Two Vietnamese citizens living in the Netherlands, and a Canadian, ”made millions of dollars by stealing over a billion email addresses from email service providers”.
“These men — operating from Vietnam, the Netherlands, and Canada — are accused of carrying out the largest data breach of names and email addresses in the history of the Internet,” said Assistant Attorney General Caldwell.
“The defendants allegedly made millions of dollars by stealing over a billion email addresses from email service providers. This case again demonstrates the resolve of the Department of Justice to bring accused cyber hackers from overseas to face justice in the United States.”
Acting U.S. Attorney John A. Horn said they didn’t target just a single company during the data breach; they infiltrated most of the country’s email distribution firms, and the scope of the infiltration is “unnerving, in that the hackers didn’t stop after stealing the companies’ proprietary data - they then hijacked the companies’ own distribution platforms to send out bulk emails and reaped the profits from email traffic directed to specific websites.”
Viet Quoc Nguyen, 28, and Giang Hoang Vu, 25 were allegedly hacking into email services and stealing data, while Canada, David-Manuel Santos Da Silva, 33, is accused of running an affiliate scheme to use the stolen data and launder the proceeds.
Vu was caught in 2012 and extradited to the US last year, where he pleaded guilty to conspiracy to commit computer fraud and will be sentenced next month. His partner Nguyen is still on the run, while Da Silva is to attend a hearing in Atlanta next month.
UPDATE: Matt White, Senior Manager in KPMG’s Technology practice comments: “As with many cases of cyber theft, the initial breach was not identified in this case, and this allowed further access to systems (the company’s own distribution platforms).
"Putting in place basic precautions can help reduce the extent of harm caused by cyber-attacks, however, time and time again we see companies struggling to control access to their own systems.
"In many cases, there tends to be an overreliance on one person, process or piece of technology to defend vast amounts of data or assets."