A second alleged LulzSec member has been charged with involvement with a hack on a Sony Pictures website last year that resulted in $600,000 in damages, the loss of personal information for more than 1,000,000 users and a class action suit against the company as a result. Raynaldo Rivera, a 20 year old from Tempe, Arizona, was named in an indictment unsealed last week following his arrest by the FBI.
Rivera is alleged to have been an accomplice to Cody Kretsinger in the Sony hack, going by the nicknames “neuron,” “royal” and “wildicv” at various times; the 24 year old Kretsinger was arrested last September in association with the hack, and pled guilty this past April. Rivera, who faces charges of conspiracy and unauthorized impairment of a protected computer, surrendered to authorities six days after a federal grand jury in Los Angeles produced the indictment against him.
The hack in question took place across May and June of last year, and say Rivera and other LulzSec members using an SQL injection attack to gain access to Sony Pictures Europe’s systems, gathering passwords and personal information – including email and home addresses – of more than a million users in the process. Following the hacks, LulzSec released a statementnot only admitting to breaking into the system and compromising the personal information, but also complaining about what it saw as poor security measures on behalf of Sony that made their hack easier than it should have been. “From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?” the anonymous hackers asked. “What’s worse is that every bit of data we took wasn’t encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it’s just a matter of taking it. This is disgraceful and insecure: they were asking for it.” Going one step further, the group added, “This is an embarrassment to Sony.”
Many of the users whose information had been compromised agreed, apparently, launching a number of class-action lawsuits against the company regarding the security measures and personal information that had been hacked. Those lawsuits prompted even more trouble for Sony when it emerged that its insurance company, Zurich American, refused to pay damages from the event, denying responsibility and stating that Sony’s policy didn’t cover “personal or advertising injury,” and therefore left the insurance company free of any obligation surrounding the hack.
According to the unsealed FBI indictment, Rivera not only participated in the hack, he also helped post the confidential information online, and was responsible for announcing the hack via the official LulzSec Twitter account. He is said to face up to 15 years in prison if found guilty of taking part in the hack.