Two Seattle men were sentenced Thurday for a 30-month crime spree that involved both physical burglary and hacking into computer systems at multiple Eastside businesses to steal personal and business information used in a variety of thefts and frauds.
John Earl Griffin, 36, was sentenced to 95 months in prison and three years of supervised release.
Brad Eugene Lowe, 39, was sentenced to 78 months in prison and three years of supervised release.
Both men pleaded guilty last year to conspiracy to intentionally access a protected computer without authorization with intent to defraud, intentionally causing and attempting to cause damage to a protected computer and thereby causing loss in excess of $5,000, accessing a protected computer without authorization to further fraud, access device fraud, and aggravated identity theft.
At sentencing U.S. District Judge Richard A. Jones said the crime spree was “a sophisticated endeavor … a unique combination of computer hacking and burglary.”
“More than 50 local businesses were hacked, burglarized, or both by this crime ring, resulting in more than $3 million in losses,” said U.S. Attorney Jenny A. Durkan who leads the Justice Department’s Cybercrime and Intellectual Property Enforcement working group. “The companies had their computer systems damaged or even effectively destroyed. Beyond the fraud and physical damage there are costs without a price tag – the violation of the sense of security for their customers, employees, and owners.”
According to records in the case, beginning in 2008 and continuing into 2010, Lowe, Griffin and a third defendant, Joshuah Allen Witt, 34, hacked the networks of more than a dozen businesses and burgled more than 40 businesses to steal equipment and obtain personal and business information used for fraud.
The ring obtained credit card numbers and used them to purchase tens of thousands of dollars of high tech equipment and luxury goods that they used or sold. They hijacked payroll information so that payroll funds would be distributed to accounts under their control and sent company funds to reloadable debit cards, allowing them to rapidly cash out the company accounts.
The ring broke into businesses and stole computer equipment which they then used to hack into the company’s network. The men outfitted at least one vehicle with high tech equipment, including extensive antennas, allowing them to search for wireless networks they could use both for hacking or to hide their “digital fingerprints” when they accessed a company network.
The steps they took to hide their identities led to innocent third parties or company employees being suspected and interviewed by law enforcement.
Several Eastside businesses were named as victims, including at least three in Kirkland and four in Bellevue. One of the major thefts, totaling more than $300,000, took place at Concur Technologies in Redmond.
From one Renton business the men hacked in and stole the personal information of more than 50 employees.
Among the techniques was a tactic known as “war-driving,” according to the charges, in which people drive through neighborhoods with a long-range antenna to find vulnerable networks.
At the sentencing hearing representatives of the victim companies addressed the court. One man whose firm had built the computer network for one of the victim companies said, “years of work and the building of trust were soiled beyond repair … Because of the hacking we had no option but to essentially pour gasoline on years of work.”
The third defendant, Joshuah Allen Witt pleaded guilty last month, and is scheduled to be sentenced in June. In August, Judge Jones will determine the amount of restitution the men owe. The figure is expected to be in excess of $3 million.
The victim companies quickly reported the suspicious activity on their networks, which assisted law enforcement in the investigation.
Avoid being a victim
The U.S. Attorney and law enforcement urge businesses to take steps to avoid being a victim:
• Businesses should review their wireless encryption and confirm that they are using the appropriate level of encryption (WPA2 Personal or WPA Enterprise).
• Businesses should keep record of all laptop computers and ensure that any computers with remote access are encrypted. Any missing laptop computers should have passwords and credentials replaced immediately.
• Businesses should be aware of hacking that can occur from physical access to the server room as well as from external hacking.
• Employees should never click past security certificate warning screens and should notify I.T. immediately.
• Managers should be aware of “watercooler” talk among employees that may indicate a breach has occurred. This includes numerous employees complaining of fraud on personal accounts.
• Businesses should ensure that they have a security response plan prepared in the event that some kind of incident does occur.
• If you notice suspicious activity, contact your local law enforcement. You can make a referral to the U.S. Secret Service Electronic Crimes Task Force.
The case was investigated by the U.S. Secret Service Electronic Crimes Task Force comprised of officers and agents from the Seattle Police Department, King County Sheriff’s Department, Kirkland Police Department, Bellevue Police Department, and Lynnwood Police Department. Significant additional assistance was provided by the Redmond, Renton, Woodinville and Bothell Police departments.
The case is being prosecuted by Assistant United States Attorney Kathryn Warma.