By: North County Times News Service
April 20, 2006
SAN DIEGO - A 25-year-old San Diego man is charged with hacking into
the University of Southern California's application system and
accessing confidential information on would-be students, federal
prosecutors said Thursday.
Eric McCarty, who earns money testing computers' network security, is
accused of using his home computer to hack last June into the Web site
that allows USC applicants to submit their information online.
Prosecutors said the data stored in the application system includes
Social Security numbers and birth dates of more than 275,000 people
who have applied to USC from 1997 through the present.
The site normally requires applicants to enter a username and password
in order to view the information they entered, and to change it if
McCarty, who also works as a computer network administrator, allegedly
exploited a vulnerability in the database that allowed him to bypass
the password protection.
Assistant U.S. Attorney Michael Zweiback alleged McCarty accessed
"information on a number of students," over several visits to the
site. But he declined to give an exact figure on how many students'
records were allegedly accessed.
McCarty copied several applicants' records, prosecutors allege in a
criminal complaint unsealed yesterday.
On June 21, 2005, the site and the database were shut down as a result
of the vulnerability, and the Web site remained off-line for nearly
two weeks, according to the U.S. Attorney's Office.
USC officials could not be reached for immediate comment.
Zweiback would not comment on McCarty's motivations for the alleged
hacking. He did say, however, that hackers can be attracted to large
"I think individuals who are computer trained like he is ... they're
always looking for vulnerabilities in large institutions," the
prosecutor said. "Beyond that, I'm not going to comment."
FBI investigators tracked down McCarty through the Internet protocol
address on his home computer, authorities said.
McCarty is expected to make his initial court appearance in Los
Angeles April 28. If convicted, he could face up to 10 years in
InfoSec News v2.0 - Coming Soon!