Police blotter: Sysadmin loses e-intrusion case

Police blotter: Sysadmin loses e-intrusion case

By Declan McCullagh
Staff Writer, CNET News.com

Published: January 13, 2006, 12:03 PM PST

"Police blotter" is a weekly report on the intersection of technology and the law.

What: A Missouri system administrator appeals his conviction for unauthorized computer intrusion.

When: The 8th Circuit Court of Appeals ruled on Jan. 9.

Outcome: Conviction of three months imprisonment, a fine and restitution was upheld.

What happened: Thomas Millot worked as a systems analyst at Aventis Pharmaceuticals, where he was responsible for computer security at the company's Kansas City, Mo., office. As part of his job, Millot administered the SecureID card system.

After Aventis outsourced its computer security operations to IBM in late 2000, Millot found himself out of a job.

But he kept an administrator-level SecureID card with him and used it to enter the network nine times. During one of those intrusions, Millot deleted the account for his former colleague Jeff Jernigan, Aventis' manager of technical services.

IBM employees eventually tracked down what happened and restored Jernigan's access. IBM billed Aventis for its investigators' time at $50 an hour, for a total cost of $20,350.

Millot admitted that he had misused the SecureID card, but his lawyers argued that the activity didn't meet the Computer Fraud and Abuse Act's requirement of $5,000 in damages.

A federal judge disagreed and handed down a relatively light sentence of three months of imprisonment, three months of home detention and three years of supervised release, plus a $5,000 fine and $20,350 in restitution.

Millot's attorneys reiterated their claim on appeal, which the 8th Circuit rejected.

Excerpt from the court's opinion (click here for PDF): "Millot argues that any costs incurred by IBM should not have been considered in determining whether the loss amounted to the statutory minimum because the system was owned by Aventis, and IBM was a 'volunteer' fixing the system. This argument lacks merit.

"The (Computer Fraud and Abuse Act) provides for a fine and imprisonment up to five years for an individual who 'intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage' and that conduct causes 'loss to one or more persons during any one-year period...aggregating at least $5,000 in value.'

"Although the damage was done to the Aventis computer system, the statute does not restrict consideration of losses to only the person who owns the computer system, and the district court properly instructed the jury to consider losses sustained by IBM in determining whether the statutory minimum was met.

"Next, we address the sufficiency of the evidence. Millot contends that the government's evidence was insufficient to establish that the actual loss exceeded the $5,000 minimum because there was no evidence that IBM specifically billed Aventis the amount alleged...At Millot's trial, the government presented undisputed evidence regarding the hours spent by (experts) Bridges and Meyers in response to the unauthorized intrusion, and that the time spent was valued at $50 per hour. IBM undoubtedly paid Meyers and Bridges for their time, and the work was done on behalf of Aventis to remedy damage to Aventis' computer system that Millot admits he caused.

"Accordingly, we find that the evidence presented was sufficient to support the conviction."