A federal judge today ignored convicted hacker Andrew Auernheimer's leniency plea in sentencing him to 41 months in prison for illegally accessing email addresses and other data belonging to more than 120,000 iPad subscribers from AT&T's networks.
U.S. District Judge Susan Wigenton of the District Court in New Jersey also sentenced Auernheimer to an additional three years of supervised release and ordered him to pay AT&T more than $73,000 in restitution for damages stemming from his actions.
The sentence is the maximum that federal prosecutors had sought against Auernheimer.
In a pre-sentencing memo filed with the court last week. Auernheimer's attorneys had argued their client only deserved months of non-custodial probation, at most, for his offenses. They had argued for leniency on the grounds that Auernheimer's actions were not motivated by fraud and did not cause any direct harm to AT&T's systems.
Monday's sentence shows that neither the jury nor the court bought that story, the U.S attorney's office said in a statement.
"Andrew Auernheimer knew he was breaking the law when he and his partner hacked into AT&T's servers and stole personal information from unsuspecting iPad users," U.S. Attorney Paul Fishman noted. "When it became clear that he was in trouble, he concocted the fiction that he was trying to make the Internet more secure, and that all he did was walk in through an unlocked door. The jury didn't buy it, and neither did the Court in imposing sentence upon him today."
Auernheimer made headlines in June 2010 when he and his partner, Daniel Spitler, used an automated script they called iPad 3G Account Slurper to extract email addresses and SIM card ID numbers of more than 100,000 iPad owners from AT&T's servers.
The data included email addresses belonging to New York Mayor Michael Bloomberg, New York Times CEO Janet Robinson, ABC's Diane Sawyer, movie producer Harvey Weinstein, former White House chief of staff Rahm Emmanuel and numerous others.
Auernheimer and Spitler handed the data to Gawker, which posted the information public. The duo claimed they carried out the exercise only to demonstrate how AT&T was leaking the data via its Web site.
But prosecutors claimed that the whole caper was a self-serving stunt by Auernheimer to promote himself and Goatse Security, a security group to which he belonged. AT&T said it had to spend more than $73,000 for breach notifications.
In court filings, prosecutors described Aurenheimer as someone who not only took credit for the breach but also openly boasted about it to the media and others. They noted that Goatse Security often portrayed itself as a group of self-described Internet trolls bent on disrupting services and content on the Internet.
The federal complaint against the two defendants contained numerous excerpts of interviews with the media where Aurenheimer boasted of his hacking abilities and the disruption caused by those actions. One excerpt is from a 2008 interview with The New York Times where Auernheimer is quoted as saying, "I hack, I ruin, I make piles of money. I make people afraid for their lives."
The pre-sentencing memo filed by prosecutors last week noted that Auernheimer had at no point shown any remorse for his actions even after being convicted. They pointed to an interview with Gawker where Auernheimer had disparaged the judge as a "mean bitch" and had insisted that he felt absolutely no contrition over what he had done.
Auernheimer was found guilty in November on charges of conspiracy to access a computer without authorization and fraud in connection with personal information. Spitler pleaded guilty to similar charges and is awaiting sentencing.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.