By no means an exhaustive list, but here's an assortment of convicted cyber criminals over the last three years who have received less prison time than Andrew Auernheimer, also known as "Weev."
The security researcher and self-proclaimed internet troll earned 41 months behind bars Monday for his role in using a script to retrieve data on roughly 120,000 Apple iPad users from a public web server.
- Romanian hacker Cezar Butu, who pleaded guilty to compromising the credit card processing systems of Subway restaurants in 2011, was sentenced to 21 months in prison.
- A Chicago woman with roots in Nigeria was sentenced to 30 months in prison for playing a key role in extracting cash from the bank accounts of individuals whose prepaid payroll information was stolen in a massive 2008 breach. Sonya Martin, 45, was part of a gang that evaded encryption on the network of Atlanta-based RBS WorldPay's U.S. payment processing division to compromise prepaid payroll debit cards, prosecutors have said.
- Two men each were sentenced to 36 months in prison for withdrawing tens of thousands of dollars from ATMs with credit card information that was stolen from craft-store retail chain Michaels Stores. In March, Eduard Arakelyan, 21, and Arman Vardanyan, 23, pleaded guilty to one count each of conspiracy to commit bank fraud, bank fraud and aggravated identity theft.
- A former bank executive was sentenced to 33 months in prison for committing 84 fraudulent wire transfers that deposited $673,000 of UBS Securities funds into his personal accounts. Shawn Reilly, 34, of Congers N.Y. also received three years of supervised release. In addition, Reilly, who served as settlement group director at UBS from November 2007 to January 2010, was ordered to pay back the money he stole when he tricked his team into making "false journal entries" and authorizing bogus transfers, believing they were for legitimate customers. On Sept. 6, he pleaded guilty to one count of bank fraud.
- A Kansas City man was sentenced to two years in prison after he was found guilty in September of creating a virus and amassing a 100,000-node botnet to launch DDoS attacks against a number of websites, including Rolling Stone and Radar. Bruce Raisley, 48, launched the attacks against sites that published articles detailing an incident in which he agreed to leave his wife for a "woman" whom he met on the internet, according to prosecutors.
- A former IT head in Virginia, upset about being fired, was sentenced to two years and three months in prison for hacking into his former employer's website and deleting approximately 1,000 files. Darnell Albert-El, 53, of Richmond, Va., pleaded guilty in June to one count of intentionally damaging a protected computer without authorization, according to federal prosecutors.
- A former senior database administrator at a Houston-based electric provider, who was fired three months before he hacked into the corporate network to steal personal data belonging to 150,000 customers, was sentenced to a year in prison. Steven Kim, 40, was fired from his job at Gexa Electricity in January 2008. Three months later, he broke into the energy company's database to download files, containing customer data such as names, Social Security and driver's license numbers, billing addresses and birth dates.
Auernheimer decided to fight the charges rather than plead guilty, unlike his co-conspirator, Daniel Spitler. Had he admitted guilt, he may have gotten less time. But it's worth noting that Auernheimer never intended to profit off the information he exposed, aside from the exposure that the "hack" would earn him. He also never published the information. Rather, he said he sought to embarrass AT&T for having poor security.
Many fellow security enthusiasts are worried that the zealous prosecutions of Auernheimer under the Computer Fraud and Abuse Act (CFAA), as well as others, are telling of system leveraging a draconian law to criminalize research and dissent.
Rep. Zoe Lofgren, D-Calif, has issued a draft proposal for "Aaron's Law," which would revise the CFAA. In January, Lofgren took to Reddit to announce her plans to reform the law so that people like Aaron Swartz, the computer programmer and freedom-of-information activist who committed suicide in January, are not punishable by decades in prison.
Lofgren's first version of the bill would "exclude certain violations of agreements or contractual obligations, relating to internet service," a provision of the existing statute under which Swartz was charged. She sought feedback from the internet community, including cyber security professionals, and came back in February with an updated proposal. "This revised draft also makes clear that changing one's MAC or IP address is not in itself a violation of the CFAA or wire fraud statute. In addition, this draft limits the scope of CFAA by defining 'access without authorization' as the circumvention of technological access barriers," Lofgren wrote.
(Auernheimer did not circumvent any "technological access barriers.")
Lofgren has told SCMagazine.com she wants to ensure the law is reformed in such a way that it doesn't legitimize certain attacks.
"My thought is that we should make changes to the statue so if that someone did something like Aaron, they would not be facing a 35-year prison sentence," she said. "On the other hand, there are in fact cyber criminals. I am not of the view that cyber crime is non existent."