20-Year-Old Enters Prison for Historic Breach, Ransoming of Massive Student Database (abcnews.com)
- Reference: 0181748952
- News link: https://yro.slashdot.org/story/26/04/18/156236/20-year-old-enters-prison-for-historic-breach-ransoming-of-massive-student-database
- Source link: https://abcnews.com/US/addicted-hacking-young-hacker-historic-breach-speaks-1st/story?id=131855776
> Barely a year earlier, while still a teenager, he helped launch what's been described as the biggest cyberattack in U.S. education history — a data breach that concerned authorities so much, it prompted briefings with senior government officials inside the White House Situation Room. The breach pierced the education technology company PowerSchool — used by 80% of school districts in North America... [and operating in about 90 countries around the world]. With threats to expose social security numbers, dates of birth, family information, grades, and even confidential medical information, the breach cornered PowerSchool into paying millions of dollars in ransom.
>
> "I think I need to go to prison for what I did," Lane told ABC News in an exclusive interview, speaking publicly for the first time about the headline-grabbing heist and his life as a cybercriminal. "It was disgusting, it was greedy, it was rooted in my own insecurities, it was wrong in every aspect," he said in the interview, two days before reporting to prison... At about 6:30 on a Tuesday morning last April, FBI agents started banging on the door of Lane's second-floor dorm room. "FBI! We have a search warrant," Lane recalled them shouting. They seized his devices and many of the luxury items he bought with "dirty" money, as he put it. He said he felt a "wave of relief.... I'm honestly thankful for the FBI," he said. "After they left, I was like, 'It's over ... I'm done with this'..."
>
> A federal judge in Massachusetts sentenced him to four years in federal prison and ordered him to pay more than $14 million in restitution.
"In the wake of the breach, PowerSchool offered two years' worth of credit-monitoring and identity protection services to concerned customer," the article points out. But it also notes two other arrests in September of teenaged cybercriminals:
- A 15-year-old boy in Illinois who allegedly attacked Las Vegas casinos, reportedly costing MGM Resorts alone more than $100 million
- A British national who when he was 16 helped breach over 110 companies around the world and extort $115 million.
But ironically, Lane tells ABC News it all started on Roblox, where he'd met cheaters, password-stealers, and cybercriminals sharing photos of their stacks of money, creating a "sense of camaraderie"
> Lane and others warn that online forums also attract criminal groups seeking to recruit potential hackers. "The bad guys are on all the platforms watching the kids playing," Hay said. "And when they see an elite-level performer, they go approach that kid, masquerading as another kid, and they go, 'Hey, you want to earn some [money]? ... Here are the tools, here are the techniques'...."
>
> According to Lane, he spent his "ill-gotten gains" on designer clothes, diamond jewelry, DoorDash deliveries, Airbnb rentals for him and his friends, and drugs — "lots of drugs." He said he would numb ever-present feelings of guilt with drugs — from high-potency marijuana to acid. But it was hacking that gave him the strongest high. "It's indescribable the adrenaline you get when you do something like that," he said. "It's way more than driving 120 miles per hour. ... Incomparable to any drug at all, as well."
"On Monday, Roblox announced that, starting in June, it will offer age-checked accounts for younger users that limit what games they can play, and add 'more closely align content access, communication settings, and parental controls with a user's age.'"
[1] https://abcnews.com/US/addicted-hacking-young-hacker-historic-breach-speaks-1st/story?id=131855776
Moral of the story: (Score:5, Insightful)
If a massive amount of critical information and system of your business can be held hostage by a child then you are not "taking security very seriously" and you do not "respect the rights of [your] users".
That fact that stuff like this happens is astoundingly stupid. This foolish child isn't innocent but the businesses are all guilty as a hell.
Re: Moral of the story: (Score:2)
Maybe not guilty as hell but definitely negligent.
Re: (Score:2)
It's not just a child. It's a child plus a network of organised crime that specialises in tooling for illicit compromise, which said child has access to, plus contacts with compromise experience to learn from. This changes things significantly.
Cybersecurity is a hellishly expensive thing if done to the degree that's found in financials and the like (where a bad compromise could have serious international ramifications).
Most places don't have the budget to hire enough of the right staff to protect against
Re: (Score:1)
I've heard similar arguments in jail. Psychopaths blame the victims for allowing themselves to be exploited.
Calling him a 'child' is a bit of a stretch, too, unless you mean 'an immature or irresponsible person' or 'a person who has little or no experience in a particular area' or 'a young human below the age of puberty'. It implies that he shouldn't be treated as an adult....and the court decided he should be.
He's not a child. (Score:2)
Security weakness is not consent to intrusion.
Re: (Score:2)
Corporations are people, very wealthy people. Wealthy people have a different justice system than you and me.
Misdirected skillset, contempt of cop^H^H^H (Score:2)
corporation.
1. Why do we not have a way to catch these bad actors early and redirect their talent to something more beneficial? Of course the human nature part of the pursuit of riches gets in the way here.
2. Let me start by saying that this guy deserves to go to prison for what he did. However, a lot of laws are bought and paid for by corporations bent on severely punishing people for things which put a dent in profitability. I would argue it is similar to "contempt of cop" but for the benefit of "virtual
Re: (Score:2)
> 1. Why do we not have a way to catch these bad actors early and redirect their talent to something more beneficial?
Because often these folks aren't actually talented and are just being opportunistic criminals. Lots of things aren't secured particularly well in real life too, but we don't offer well paying jobs to every kid who learns lock picking from YouTube, either.
Admittedly, because these companies being breached have their systems connected to the global internet, they should be taking security a bit more seriously since the culprit may not always be an American or from a country with an extradition treaty. But a
Re: (Score:2)
So maybe the conviction and sentencing, and punishment meted out should consist of 2 parts. One for the perpetrator, and the other for the corporation who let their guard down. The problem is, you can never be sure all of the vulnerabilities are mitigated on your attack surface. Also how do you convict a corporation without designating some corporate officer with is the equivalent of a whipping boy, and who gets to go to jail on behalf of the corporation.
Nobody deserves to go to prison (Score:1)
Not in a modern civilization.
We all know we're sending this guy to get fucked up by fellow prisoners. We want to see him tortured and we're too squeamish to do at ourselves so we're going to arrange for other people to do it.
A proper civilization wouldn't be using prisons to inflict torture, especially torture so severe that we are too grossed out by it to do it ourselves directly.
Prison should be about containment. The idea being that you have somebody that if you don't keep them under constant
Re: Nobody deserves to go to prison (Score:2)
Grow up.
Re: (Score:2)
I did. It sucks. I can't blame black kids in prison for the failings of my country anymore. I can't use comfortable lies to make myself feel better.
I'm starting a movement to bring back DOOM (Score:2)
Before you go into any prison, you have to pick up the red, blue, and gold card(s). And a berserker pack.
Nothing elite about this kid. (Score:2)
He's just another script kiddie that was gassed up by the real threat actors, then handed tools. 9 out of 10 times one of these kids go down, they aren't the brains behind the incident.
They even admitted that somebody else provided the tools. Its just sad that they still belive that they were selected for their leet skillz.
Once again they buried the lead (Score:2)
A single company has 80% of all data concerning education and students.
That seems like a much bigger deal here.
You can send all the 20-year-olds you want to jail for as long as you want and it will never make that okay. But hey security theater is a thing and old people like seeing young people get harmed. I don't know why we just seem to like it a whole hell of a lot.
Re: (Score:2)
The affected parties are guilty of stupidity. The punk kid sounds more like a messenger than a criminal. But, of-course he did commit crimes; did any of his victims 'get the message'? I doubt it.
Why is his age news? (Score:2)
He's an adult criminal, not a child. He chose his fate.
yer gonna put you eye out kid (Score:2)
It's all fun and games until that happens
"Mathew Boderick" almost touched off a global thermonuclear war... And walked away.
"Mr Robot" was fighting the good fight... As if THAT really happens.
The fact is, investigating your own gear is a-ok. stuff that belongs to others... It get's dark gray really fast. Make bucks at it... It's not gray at all. Pitch black.
You commited a crime (Score:4, Informative)
There are consequences. Welcome to adulthood.
Re: (Score:2)
Yeah, just like those adults who raped them kids, and were sent to jail to serve their lengthy sentences. Oh, wait - they went on to live lives of wealthy, untouchable elites; and one of them actually became president of a first world country.
Re: (Score:2)
> There are consequences. Welcome to adulthood.
[1]Consequences schmonsequences, as long as I'm rich! [youtube.com]
[1] https://www.youtube.com/watch?v=Yx2exbhMHQU