Brit Lauri Love faces more US hacking charges

News by Tim Ring

Lauri Love, a 29-year-old British man from Stradishall in Suffolk, has been charged by a US court with hacking into multiple US government computers and stealing more than 100,000 employee and financial records.

These are the latest set of charges laid by US courts against Love, who has previously been accused of breaching the US Army, the FBI, the US Missile Defense Agency and NASA, as well as the New York Federal Reserve Bank to steal “massive quantities” of confidential data resulting in millions of dollars' worth of losses.

Love remains in the UK and his London-based lawyer, Karen Todner, a leading criminal defence, human rights and extradition expert, has promised that any attempt to extradite him to the US will be “vehemently opposed”.

Love was originally arrested by the UK National Crime Agency  (NCA) in October 2013 in response to the US charges. He was released from bail earlier this month, but Todner said enquiries are still on-going.

In the latest charges, Love was indicted on 24 July by a federal grand jury in the Eastern District of Virginia on charges of conspiracy, causing damage to a protected computer, access device fraud and aggravated identity theft. 

According to the indictment, from around October 2012, Love and unnamed co-conspirators hacked into the systems of the US Department of Energy, the Department of Health and Human Services, the US Sentencing Commission, the FBI's Regional Computer Forensics Laboratory and two private companies – Deltek Inc and Forte Interactive Inc.

They allegedly used a known vulnerability in Adobe's ColdFusion website and database management software – now patched – to gain admin-level access to the computers and steal “massive amounts of sensitive and confidential information” at a total cost to the organisations of more than US$ 5 million (£2.95 million).

The data included the credentials of more than 100,000 employees – comprising names, social security numbers, addresses, phone numbers and salary information – as well as more than 100,000 financial records, including credit card numbers and names.

Love faces a maximum of ten years in prison if convicted of the offences and a mandatory additional two years if convicted of aggravated identity theft.

The previous charges were laid against him in February of this year and October 2013.

At the time of the February accusations, Karen Todner said in a statement: “The United States have preferred an indictment against Mr Lauri Love. We hope that all matters will be investigated and concluded within the UK where Mr Love has lived all of his life and remains. If there is an extradition request from the United States it will be vehemently opposed. We believe that if Mr Love is to face charges that they should be, and will be, in the UK.”

Commenting on the issues around his possible extradition, Charlie McMurdie, a senior crime adviser with PricewaterhouseCoopers and former head of the Met Police's e-Crime Unit, told “It will be interesting to see if they are looking to extradite this individual for charges on American victims.

“The whole extradition issue is something that needs to be really nailed down, not just with the Americans but internationally. Does the offence start at the point of somebody tapping on a keyboard sat in the UK, is that where you push the attack button and potentially which cases could be dealt with if the evidence was provided to the UK to prosecute?

“But it's a difficult one where it's government databases and the primary offences are abroad or your victims, witnesses, all the evidence sits abroad - that's an issue where perhaps extradition is more appropriate. But it will always be heavily contested.”

The two private companies involved in the latest set of charges are both technology suppliers. Deltek provides enterprise software systems to professional services firms and US government contractors. Forte Interactive provides fundraising and website management tools to mainly non-profit organisations.

The 27 February charges against Love and others were laid in the Manhattan Federal Court, where he was accused of using an SQL injection vulnerability in late 2012 and early 2013 to infiltrate the Federal Reserve's servers. 

Manhattan US Attorney Preet Bharara claimed Love was “a sophisticated hacker who broke into Federal Reserve computers, stole sensitive personal information, and made it widely available, leaving people vulnerable to malicious use of that information”. 

FBI assistant director George Venizelos said he was “part of a sophisticated network of criminals involved in computer intrusions”.

Last October, Love and others were charged in the Newark, New Jersey federal court with a string of offences, largely using the Adobe ColdFusion exploit highlighted in the new charges. 

The New Jersey court was told that between October 2012 and January 2013 Love and his conspirators hacked into “thousands of networks” belonging to the US Army, US Missile Defense Agency, Environmental Protection Agency and NASA to steal military data and personal identifiable information that belongs to US servicemen and women. 

Love was arrested by the NCA at his Suffolk home on 25 October. 

According to a Daily Mail report following his arrest, Love is the son of a Baptist minister and an activist in the Occupy hacktivist movement. 

The NCA would only confirm in a 7 July statement: “A 28-year old British man has today been released from bail, following his arrest in October 2013 on suspicion of offences contrary to the Computer Misuse Act 1990.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews