Disparity in Penalties for Financial Crimes Versus for Massive Hacking

About 5,300 Wells Fargo employees took advantage of their employer’s incentive bonuses by creating 1.5 million deposit accounts and 565,000 credit cards without the customers’ awareness.  Wells Fargo admitted the misbehavior and seems determined to do the right thing by its customer. 

It fired 5,000 and to identify the problem in detail, it set in motion a review of its accounts by an independent team.  That team reports refunds averaging $25 to each customer who was given an unsolicited account or card.  The refund is for unauthorized fees and charges and is verified by the independent reviewers. 

Wells Fargo’s executives should have become aware of this staff problem earlier in its routine review of the bank’s results. For its lack of vigilance, Wells Fargo has been fined $185 million to be split — $100 million to the Consumer Financial Protection Board, $50 million to California and Los Angeles, and $35 million to the office of the controller of the currency.  Also, Wells Fargo has been twice summoned by Congress to patiently endure fiery political theater, but very few questions.   

Earlier, JP Morgan faced similar lack of vigilance criticism and an outsized fine ($925 million) as punishment in the London Whale scandal and another $5.9 billion for robo signing.  Citibank earlier was fined a total of $7 billion for misdeeds related to the subprime mortgage settlement.  The sheer scale of these fines stands out, especially in contrast to the risible punishments of hackers for the damages they inflict on millions of American consumers.

Wikipedia tabulated the crimes and punishments of 37 convicted computer criminals.  None of those it lists were convicted more recently than 2012, and most are from the 1990-2010 period.  Sentences are usually light, for example, 2 years of prison with early release or probation only.  Only 4 of the 37 were sentenced to more than 2 years.  Restitution was seldom part of the sentence, but when it was, the amount was a token – certainly insufficient to pay consumers for the damage and inconvenience they endured. Beyond Wikipedia’s list there are many other cyber criminals who are still at large and there are just a handful who have been sentenced to stiffer punishments.

The computer crimes listed on Wikipedia were not by amateurs.  They include creation and dissemination of viruses including those named Kournikova, Melissa and Blaster Worm.  The Melissa virus caused $80 million in damages to companies, but the criminal who created and spread that virus was fined a mere $5,000. 

Others conducted the hacking and theft of credit card data from Lowes chain of home improvement stores, and breaking into the personal records of 300,000 consumers held in LexisNexis databases.  Other hackers were convicted for breaking into computer systems at the US Navy, National Geospatial Intelligence Agency, US Department of Defense, NSA, NASA and the Pentagon.  What they learned and especially what they shared with others made all of us less secure.

Some criminals hack personal information for the goods and services they can steal through identity fraud against innocent victims.  Most often a high volume of stolen cards is broken up and sold to middlemen thieves who do the card-by-card theft.  Others criminals have political motives such as in the OPM hack, and the WikiLeaks distribution of stolen DNC and Clinton election emails. 

Some cyber criminals imbed unauthorized access “backdoors” into devices and software used at the center of the internet.  For example, Juniper Networks found 2 backdoors imbedded into its NetScreen/VPN software.  Easy access by criminals to devices and software at the center of the internet’s infrastructure exposes all internet users to theft, lost privacy or corruption of information for extended periods of time.  

With one exception, the criminal leaders behind the massive hacks (below) aimed at consumers have not been captured.  When they are caught and convicted, we have to wonder what incarceration and restitution will prosecutors and judges assign them?  Will they be the picayune slaps on the wrist as shown in Wikipedia, or will they convince prospective criminals with commercial motives to find another line of work?     

Larger attacks on the American public:

·       22 million people were affected by the OPM hack

·       32 million personal account details from Ashley Madison

·       56 million peoples’ credit card information at Home Depot was exposed in 2014  

·       70 million were affected by the Target hack

·       80 million Anthem customers personal financial information was exposed

·       15 million T-Mobile customers data was exposed while on Experian’s computers.

·       700,000 taxpayer accounts on IRS computers  were compromised 

·       10 million consumers credit card details were hacked from Heartland Payment Systems

·       45 million people’s credit card data was exposed in the TJX hack

The one light-sentence exception is Alberto Gonzalez who confessed and was convicted to 20 years in for his role in the TJX hack team and another 20 years for his role in the Heartland Payment hack.  The remaining TJX perpetrators are at large, and some suspects in the above attacks are considered to be nation state actors.

The sentences given computer criminals suggest prosecutors and courts treat computer crimes as nuisances.  That shortchanges the victimized consumers.  Appropriate sentencing should take into account the actual monetary damages for lost business and information, for damaged equipment and reputations, inflicted on all victims of the crime.  Disruptions to public safety and security stemming from the crime should be taken seriously.  That a criminal might fancy himself a crusader for an idiosyncratic version of justice must not exonerate him from the full responsibility and restitution for the crime.     

One of the laws governing criminal justice for civilians in this arena is the Computer Fraud and Abuse Act (CFAA).  When a perpetrator is charged with crimes, the prosecutors like to use press conferences or televised perp-walks to brag about the total maximum prison sentence the perpetrator may face.  Actual sentences are usually far shorter since prosecutors routinely drop charges in return for the convenience of securing guilty pleas. 

Convenience aside, appropriate sentencing should include full restitution for monetary and reputational damages.  When law enforcement and courts show lenience in sentencing computer crimes, they give the unmistakable message that computer crimes are worth the risk.  That’s not how we victims see it.

FacebooktwitterredditlinkedinFacebooktwitterredditlinkedin