This ID thief got off easy

A 41-year-old private computer contractor was convicted today of trying to sell a USB flash drive with the names and social security numbers of 17,000 U.S. Marines or military employees to a person he believed to be a representative of a foreign government. The thief, Randall Craig, faces up to 7 years in prison, but I say he got off easy.

Some may argue that Craig, who lives in Houston, is in one sense nothing more than a sleazy opportunist who took advantage of his access to a central database on the Marine Corps Reserve Center in San Antonio for a little profit. And when I say 'little', I'm not exaggerating.

While most thieves are pretty ignorant -- it just comes with the territory -- Craig excelled in his field. He tried selling the flash drive to an undercover FBI agent for $500 - probably less than a week's pay for Craig.

Craig was formally convicted of "exceeding authorized access to a computer" and "aggravated identity theft". (The "exceeding authorized access to a computer" sounds somewhat comical. It makes it sound like he was caught carving out oversized LUNs for a database or something).

Consider that soldiers, sailors and Marines are some of lowest-earning, hardest-working people in this country. For example, a Marine sergeant with more than six years of service earns $28,720.80 a year before taxes for a gross salary of about $600 a week. When you're deployed overseas in a combat zone, as many of these servicemen and women are during their tours of duty, you're at work 24/7. There's downtime, but no off time -- there aren't any 40-hour weeks.

Now consider the damage Craig could have done. Craig sold sensitive information on 17,000 U.S. servicemen and women to someone he thought was a foreign government agent. It would have been bad enough had that recipient of the flash drive been a member of a foreign identity-theft ring that could have used the data to clean out the bank accounts of these Marines and their families, as well as run up debt and ruin their credit. What Craig did was try to sell sensitive information on these military personnel to a foreign government (the FBI didn't identify which government that was). Craig also admitted he had made efforts to contact other foreign countries in an attempt to offer his services. So, Craig's crime goes beyond mere theft for profit to a flagrant attempt to expose thousands of Marines and other government employees to whatever schemes that foreign government may have had.

I'm not saying Craig should have been shot. He isn't a traitor in the classic sense and, at least on the face of it, he wasn't selling military secrets that could have compromised our national security, but that data could have been used for theft, blackmail or who knows what. Craig was selling data for the explicit purpose of hurting U.S. Marines, and that should carry with it a special, more harsh sentencing guideline -- one that goes beyond punishment for "exceeding authorized access" or ID theft.

Copyright © 2008 IDG Communications, Inc.

Shop Tech Products at Amazon