Matthew Keys, a former social media editor at Reuters, received a two-year federal prison sentence for providing his username and login credentials to a hacker associated with the hacking group Anonymous.
He was sentenced on Wednesday for 2010 violations related to the 30-year-old Computer Fraud and Abuse Act (“CFAA”). In providing his former login credentials to the hacker – who has never been charged – Keys assisted the hacker in temporarily altering the headline on a website owned by the Tribune Company.
He was previously a web producer for KTXL FOX 40, a Sacramento, Calif. television station owned by the Tribune Company. Keys left the company in late October 2010 and provided his old login information to the Anonymous hacker two months later.
In speaking with SCMagazine.com, Key's attorney Tor Ekeland called the Tribune's approach to information security “atrocious and negligent.”
Keys maintained access to “super user credentials” to the Tribune Company CMS (content management system), which allowed him to alter multiple media properties owned by the Tribune, according to an FBI release.
Ekeland told this publication he will file an appeal to stay the motion early next week. The case would then proceed to the 9th Circuit Court of Appeals.
After it was discovered that the website was altered, the Tribune Company “realized that they had hundreds of old usernames and passwords that they had never removed from the system,” said Ekeland. “They got embarrassed and they somehow think that by prosecuting people who are essentially pulling pranks, that is going to improve their information security.”
“Prosecutors can use their discretion to bring those exact charges against people — including journalists — whenever they see fit,” wrote Keys, in a post on Medium. “Until the law catches up with the times, there's no doubt that prosecutors will do it again.”
Tribune “spent months doing things that they should have been doing all along on the information security side,” said Ekeland.