LulzSec hacker pleads guilty to Sony Pictures attack, faces prison sentence

Filed Under: Law & order, Vulnerability

Man with clapperboard. Image from ShutterstockRaynaldo Rivera, from Tempe, Arizona, has admitted hacking into computer systems belonging to Sony Pictures, and stealing the personal information and passwords of thousands of innocent internet users

The attack, which took place in May last year, was part of a concerted attack against Sony websites by LulzSec and Anonymous hackers during 2011.

Rivera, who was arrested by the FBI in August, admitted his guilt in the form of a plea agreement filed with Los Angeles Federal Court.

Rivera - who used online nicknames including "neuron", "royal", and "wildicv" - admitted launching an SQL injection attack against the Sony Pictures website, extracting confidential and personal user information - such as the names, birth dates, addresses, emails, phone numbers and passwords of people who had entered Sony contests.

The stolen information was subsequently published online by the LulzSec hacking gang, compounding the risk to innocent users.

The hack is said to have cost Sony more than $605,000 in losses.

HideMyAss logoIn an attempt to hide his true identity during the attack, Rivera used the HideMyAss anonymising proxy service to disguise his IP address as he probed the Sony Pictures' website for vulnerabilities.

However, Rivera had not been careful enough in disguising his tracks - and HideMyAss co-operated with the authorities when a court order was received by the anonymising proxy service.

Others considering committing crimes on the net might be wise to stop believing that using an anonymising proxy service will necessarily keep them out of the clutches of the law.

Under the plea agremement, Rivera will pay restitution to his victims. He also faces a maximum five year prison sentence, and a fine of at least $250,000.

Man with clapperboard image from Shutterstock.

, , , , ,

You might like

10 Responses to LulzSec hacker pleads guilty to Sony Pictures attack, faces prison sentence

  1. Jezz · 1049 days ago

    Unless you use your own proxy service.. But still not worth doing any of the crimes

    • Chuck · 1049 days ago

      Use you own proxy?? Well, that would narrow it down to one person, hehe..

      • Pimpboy · 1049 days ago

        root server -> Run socks5 -> connect via it ?

        Or bounce through several proxies (Turn infected machines into proxies) do all this from a public wifi via a laptop (stolen) which you bought from a crack head.

        profit ?

  2. Richard · 1049 days ago

    How much were Sony fined for not securing their data properly?

    I'm not condoning what the hacker did, but if a website stores PII and is open to SQL injection, then the people running the site must bear at least some of the responsibility when they get hacked. After all, it's not like it's difficult to prevent!

    • wait really? · 1049 days ago

      By this logic, then we should extend some of the responsibility to the folks who clicked "Save this information for future visits" in the first place.

      Think of it like this: if you leave your computer at my house and I leave my front door unlocked, and someone walks in and steals it... And the Police catch him... Is it he, or I that has to replace your computer? Do you think I am responsible for your laptop just because you left it at my house?

      While, In fact. It may be my responsibility to lock my door...

      It is also your responsibility to not leave things lying around that are important to you. They are your responsibility, not mine.

      The only single person responsible for committing a crime.. is the thief. I did not steal your computer, and you did not steal your computer. He did. so only he should be responsible for replacing it.

      • Richard · 1048 days ago

        And by your logic, if I leave something in my Bank's vault - say, $1 million - and they forget to secure it properly, then it's my own fault for leaving that money lying around.

        Quite frankly, if I left my laptop at your house and you went out and left the door open, I would expect your home insurance to cover the loss. If you didn't have insurance, or they refused to pay because you'd left the door open, I'd expect you to pay to replace it.

  3. Jack · 1049 days ago

    How right you are, pretty soon there will be no secure steps taken and just rely on law enforcement to prosecute offenders. Some responsibility needs to be taken by the site.

  4. Nigel · 1049 days ago

    First of all, Sony should pay restitution to everyone who suffered a loss when their system was hacked. It was their responsibility to secure the data they held. I don't give a damn what kind of legalese was written into the Sony user agreement; they had a moral responsibility to their users. If they made themselves the caretaker of other people's property (and a user's personal information is certainly his property), then it was certainly their (Sony's) responsibility to safeguard that property.

    Next, Sony should collect restitution from Rivera, including all their costs in making restitution to their users, as well as the cost of recovering their own losses. After all, no losses of any kind would have occurred had he not chosen to interfere with other people's property, so he should ultimately be the one to make good on all the losses.

    Also, what is this guy Rivera...independently wealthy, or something? He must be, if he can afford to cover all the losses he caused. That's especially true if the idiotic state "justice" system is going to fine him a quarter of a million buck$ and then stick him in jail where his earning capacity is reduced to zero.

    For my part, I see no use whatsoever in the idea of "fines" or incarceration. Restitution — I mean FULL restitution of all losses, including those involved in identifying, tracking down, investigating, apprehending, and obtaining restitution from the culprit — is all that is necessary to ensure justice. Fines are nonsense...throwing money down the black hole of an already bloated, inefficient, and irresponsibly wasteful bureaucracy. If you want to have the state charge for the actual costs of nailing the bad guys, that's appropriate, but then it should actually cover those costs at the expense of the bad guys; no more and no less. Taxpayers shouldn't get stuck with the bill. That just replaces one injustice with another one.

    Finally, the whole idea of incarceration in a case like this is just stupid. Unless the crook is already a gazillionaire, he can't generate the money to pay restitution if he's rotting away in jail. This business of "teaching him a lesson" serves no purpose except satisfying some perverse cultural passion for revenge. I think the scoundrel will learn quite enough if he has to work his butt off to pay full restitution. Jail isn't going to teach him anything more valuable than taking full responsibility for the losses he caused.

  5. Pimpboy · 1049 days ago

    Sony saved user names and passwords in PLAIN TEXT.

    Then they reported a $605,000 in losses due to hacking !


  6. bits · 1049 days ago

    This unsecured data was most likely already in the hands of organised crime syndicates long before lulzsec got hold of any of it.
    When lulzsec got hold of it and published it, it became worthless to the organised crime syndicates therefore saving the owners of the data from a far greater loss of money and inconvenience.
    This guy is simply paying for the embarassment caused to Sony by him showing up how poorly protected their customer data is.

    The truth is, customer data security is low on the priorities of business - many of which are actively removing firewalls and relying on router access lists to protect their networks (disclaimer: I don't know if this is the case with Sony).
    Think about that, good powerful firewall's cost a lot of money so businesses accept the risk of not protecting customer data properly so they can get better performance out of fewer pieces of hardware.
    These are not small "nobody's" doing this but major internet players.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley