San Diego man pleads guilty to USC computer hack

Computerworld - A 24-year-old San Diego, Calif. computer network administrator is awaiting sentencing after pleading guilty Tuesday to federal charges of illegally accessing the computer network at the University of Southern California (USC) last year. The incident occurred after he was denied admission to the school.

Eric McCarty pleaded guilty in U.S. District Court in Los Angeles in connection with his infiltration of USC's online student application system in June 2005, according to a criminal affidavit filed in the case. McCarty was accused of accessing confidential information submitted by students applying to the school and causing damage to the IT system by using a "SQL injection attack" to bypass the login authentication process of the school's online application system.

McCarty could not be reached for comment by telephone at his home this afternoon.

The case was investigated by a special agent of the FBI's cybercrimes squad in Los Angeles.

The USC student database accessed by McCarty contained the names, Social Security numbers, addresses and other personal information of about 275,000 students since 1997, according to the affidavit. Each user account was protected with a unique user name and password, but McCarty's use of certain SQL database commands allowed him to take advantage of a software vulnerability that provided access to the confidential data, according to the affidavit.

"A forensic examination of McCarty's computers seized from his residence pursuant to a federal search warrant revealed, among other things, files containing SQL injection attack codes and the user names, passwords and Social Security numbers from seven individuals in the USC applicant database," the affidavit said.

McCarty then allegedly created a new Google Gmail account in an alias name at "ihackedusc@gmail.com" to describe his actions to a staff member at a security vendor Web site. He allegedly admitted his infiltration of the database and attached a copy of some of the records he obtained.

McCarty later posted a comment on his personal blog page about the incident -- entitled "USC GOT HACKED," -- where he disclosed his involvement in the incident. "USC Got Hacked, I was involved, I'm sorry, my bad, so all the hot USC Girls, I got your phone number ladies, if your name is Amanda, Allison, Amy or Anita, expect a call any day now..." he wrote in his blog, according to the affidavit. Court documents stated that McCarty was unhappy with USC for not admitting him to the school.

Four computers and other related items were seized by authorities from McCarty's home in August 2005 as part of the investigation. USC's applicant Web site and SQL database were shut down and remained offline for more than 10 days while the incident was investigated, according to the affidavit. In compliance with California law, the university had to notify by letter all individuals whose data was contained on the admissions database of the intrusion.

McCarty is expected to be sentenced Dec 4.

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Knowledge Center.