Auernheimer will also serve an additional three years of probation and pay more than $73,000 in restitution to AT&T.
Some are applauding the sentence. “Vulnerable systems exploited by attackers can have serious consequences beyond hacktivists claiming their break-in trophies,” said Mark Bower, vice president of Voltage Security, in an email to Infosecurity. “The impact of the Keys situation was manipulation of the media, and potentially access to sensitive data. That in itself could have costly impact, depending on how readers or even industry groups might respond to a manipulated story, as well as the fallout from potential sensitive data theft. If systems used to communicate with the public can be manipulated, then there will be consequential costs and harm.”
Auernheimer and his partner in crime, Daniel Spitler, were convicted last year of identity theft and “conspiracy to access a computer without authorization.” The two used a flaw in AT&T’s set-up process for the iPad 3G to obtain unique SIM identifier numbers for iPads and from there, their owners’ email addresses.
Auernheimer maintained that he informed AT&T of the breach, which AT&T denies. Early in 2011 Auernheimer and Spitler were arrested.
Auernheimer's sentence is the latest in a string of hacking prosecution work that many say levels overly harsh penalties for relatively light offenses.
Last week, prosecutors indicted Reuters social media editor Matthew Keys for conspiracy to help the Anonymous hacking collective break into Tribune Co. networks – in retaliation for being fired from his job as a web producer there.
If convicted, Keys faces up to 25 years in prison, nine years of supervised release and a fine of $750,000.
In January, internet activist Aaron Swartz committed suicide while facing trial for allegedly illegally downloading millions of scientific journal articles from the Massachusetts Institute of Technology and JSTOR (a journal storage repository) in the name of freedom of information and open-access. Swartz faced a potential sentence of more than 30 years in prison.
Auernheimer, Keys and Swartz were charged under the Computer Fraud and Abuse Act, which Bower said is a necessary protection. “Over the years we've witnessed repeated successful attacks to critical infrastructure, hospitals, patient data, banks, credit card processors and government – the stakes are high, and so courts can't take any attacks to any critical infrastructure lightly when establishing the extent of punishment,” Bower opined.