A British man has been charged with hacking into U.S. government computers and stealing personal data about thousands of employees, then bragging about it on Twitter.
Lauri Love, 28, was arrested Friday at his home in Stradishall, England, according to a statement from the New Jersey District Attorney’s Office. He is charged with one count of accessing a U.S. department or agency computer without authorization and one count of conspiracy
Over the past year, Love and three unnamed co-conspirators—two living in Australia and one in Sweden—allegedly planted malware on government computers in order to steal data, according to an indictment filed in District Court in New Jersey.
The group, which planned their attacks over IRC instant messaging, compromised agencies including NASA, the U.S. Defense Department’s Missile Defense Agency, the U.S. Army’s Network Enterprise Technology Command and the Environmental Protection Agency, among others.
They are alleged to have obtained personal information of more than 4,000 employees for the Missile Defense Agency and “numerous” NASA employees, according to the indictment. The group allegedly publicized their attacks on Twitter.
Government databases were attacked using SQL injection techniques, which involves probing back-end databases. The attackers also gained access to government computers by exploiting vulnerabilities in ColdFusion, Adobe Systems’ Web application development platform.
In an attempt to avoid detection, the group allegedly channeled its attacks through proxy servers and used TOR, a network that provides greater privacy by routing encrypted Web traffic through servers around the world.
The indictment alleges the attacks “collectively resulted in millions of dollars in damages to the government victims.”
Love could face up to five years in prison and a US$250,000 fine for the two New Jersey charges. He has also been charged in U.S. District Court for the Eastern District of Virginia for related intrusions, prosecutors said.