Sophos Cloud Optix
The former IT administrator for the US city of Hoboken, New Jersey, pleaded guilty on Tuesday to hacking into email accounts to spy on the mayor and other staff.
Patrick Ricciardi, 46, formerly the chief IT officer for the office of Mayor Dawn Zimmer, was charged on three counts, according to court documents:
- Accessing a computer without authorization,
- Intercepting wire and electronics communications, and
- Disclosure of wire and electronic communications to a third party.
Ricciardi’s admitted hacking was one manifestation of how the mayor’s office suffered from bitterly divided political factions, as noted in the official complaint filed [PDF].
Zimmer stepped into her job as acting mayor in 2009 after winning a special election to replace Hoboken mayor Peter Cammarano, who was arrested on federal corruption charges.
(On the close-but-no-cigar corruption meter, note that this is not Felix Roque, former mayor of West New York, N.J., who was arrested last May with his son for allegedly hacking into a site that criticized his administration and for intimidating individuals associated with it.)
(However, if you’re thinking, “New Jersey, seriously, what’s up?” Then yes, I’m with you.)
The FBI’s investigation found that many of the city’s elected officials maintained strong ties to Cammarano’s administration or were otherwise opposed to Zimmer, to whom they shoveled out grief and impediment on matters large and small.
The schism was reflected in comments on city-related blog postings. It was also reflected in leaks of confidential information, which caused the mayor’s office to initiate a security audit.
Excerpt from the official complaint [PDF]:
The audit turned up an archive, located on Ricciardi’s computer, of all emails sent to or received by Zimmer’s account.
When interviewed by the FBI, Ricciardi admitted to configuring the archive file so that it would automatically collect all emails sent to the mayor and two high-ranking city employees.
He then forwarded those emails to three city officials, one of whom printed out a supposedly confidential email and laid it on the mayor’s desk.
Ricciardi intercepted the email so that he could "spy" on the Mayor and her employees, he said, and determine whether his job was secure.
Apparently, breaking federal law to find out if your job is secure is not a good way to ensure that your job remains secure.
Ricciardi is scheduled to be sentenced on July 1, 2013, before U.S. District Judge Esther Salas in Newark federal court.
Each of the three counts carries a maximum potential penalty of five years in prison and a $250,000 fine.
Image credit: Shutterstock
If you are the IT admin you didn't hack into anything. I would love to know how they got a conviction on "Accessing a computer without authorization," since he was the admin he arguably had authorized access to everything!
Yeah, that's correct. But then again, I believe it's expected that IT admins have a high sense of integrity & ethics, thus automatically would mean that you won't mis-use your power as an IT admin
No doubt about it, he broke the law big time.
He violated 18 USC § 2511 on the interception of wire and electronic communications as well as the disclosure of such communications to a third party.
No, he is not "authorized" to access electronics communications unless it is for legitimate troubleshooting purposes or it is accidental or incidental to his duties. This is covered under 18 USC § 1030 in that he "exceeded" his authorization.
Although he probably did have authorization to back-up or archive the emails under his duites to protect the integrity of the computer systems, that authorization would not normally extend to reading the emails and certainly not to disseminate the content without the permission of either the sender or recipient.
I hope that clears up your confusion over the charges and conviction. Banners and policies do not trump the statutes when it comes to government systems.
Just because someone HAS authorized access doesn't automatically mean they need to USE that access in their day-to-day work. The sooner people like Mr. Ricciardi are weeded out, the better for all of the rest of us in IT who believe in integrity, honestry, responsibility and accountability.
Not sure this counts as "hacking"
It depends on their disclaimer and policies in place
He did "hack" into the system and acted as a malicious insider. He accessed the system and manipulated it without authorization and leaked sensitive data with the intent to benefit from it financially. To say that he wasn't hacking because he is an admin is like saying well the cashier that stole your identity didn't steal it because you authorized them to use your card for a transaction.
Makes you wonder what happened to asking.Why didn't he ask to access the e-mails or ask about his job security?
This is what happens when duties aren't properly segregated. He shouldn't have had free reign to do this…