Two former students charged in university hack in Mo.

Pair stole data on 90,000 students, faculty, staff and alumni at the Univ. of Central Missouri

Two former students at the University of Central Missouri (UCM) have been indicted by a federal grand jury on charges of breaking into university databases and of stealing and attempting to sell personal data on about 90,000 UCM students, faculty, staff and alumni. Price for the data: $35,000.

Joseph Camp, 26, and Daniel Fowler, 21, of Kansas City, Mo. are also accused of attempting to steal university funds, infecting numerous university computers with a virus they developed and using their Facebook accounts to threaten potential witnesses against them. The charges carry possible prison terms of between two and 10 years.

The seven-count indictment was unsealed Monday upon Fowler's arrest and initial court appearance. Camp has been in custody in New York for about a year on unrelated charges and will be transferred to Kansas City to face charges in related to the UCM hacking, a spokesman for the U.S. Attorney's Office for the Western District of Missouri said.

In addition to the charges in Kansas City, Camp will also face charges in New York in connection with his attempt to sell stolen UCM data there, the spokesman said.

According to the indictment, Camp and Fowler launched their attacks during last year's fall semester when both were students at the school. The duo used Fowler's room as their base and over a three-month period between October and December 2009 broke into numerous university databases and computers -- including one belonging to a university administrator.

The pair developed a computer virus with which they infected systems used by UCM students, faculty and staff. They even tried unsuccessfully to infect a system being used by the university president. In most cases, they infected the computers by convincing the owner to insert an infected USB thumb drive into their system. At other times, the two sent e-mails with an attachment containing the virus

The virus allowed them to monitor all activity on the infected system, record keystrokes, steal data and remotely turn on the system's webcam if it had one. In one instance, Fowler and camp are alleged to have infected a university administrator's system and then turned on the system's webcam to watch the administrator at work.

In another incident, Camp and Fowler are accused of using a residence hall director's credentials to gain access to a university system and attempt to transfer university funds to their student accounts. The indictment papers list more than 30 such transactions initiated by Camp in amounts ranging from $50 to more than $4,300. The hacks were conducted over Thanksgiving break in an apparent attempt to avoid immediate detection.

The pair is alleged to have continued their activities even after campus police arrested Camp a year ago and confiscated his computers. Sometime last December, Camp and Fowler illegally accessed UCM databases containing information on faculty, staff, alumni, and students and tried to sell the data to a New York-based individual identified only as T.S. in the indictment. When he was arrested in New York, Camp had four Excel spreadsheets containing personal data.

In a conversation with T.S. that was recorded by law enforcement, Camp was confident that the university would not do anything about the Thanksgiving hack for fear of adverse publicity. In another recorded conversation, Camp boasts that "the cops were dumb to bust us so quick" and "if they knew the scope of this, they would have involved the feds."

After his November arrest by university police, Camp posted a message on his Facebook claiming he knew who had turned him in and accusing that person of lying to police. "I know who's (sic) the snitch," Camp allegedly said in the post. "I really hope you are feeling like s... for getting your friends in trouble." He later confided to T.S. that the postings were an attempt "to scare the girl that talked."

UCM police searched Fowler's room just days after Camp's arrest in New York and discovered that all of the computers had already been removed. A Post It note stuck on one of the remaining monitor's taunted police for being "too late."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is

Copyright © 2010 IDG Communications, Inc.

Shop Tech Products at Amazon