Lin Mun Poo, 32, a resident and citizen of Malaysia, pleaded guilty this morning in federal court in Brooklyn to possessing stolen credit and debit card numbers. Poo also admitted that he compromised a computer server belonging to the Federal Reserve Bank, and that he installed a malicious code onto that server.
According to the government’s filings in this case, the defendant made a career of compromising computer servers belonging to financial institutions, defense contractors, and major corporations, among others, and selling or trading the information contained therein for exploitation by others. On October 21, 2010, the defendant traveled to the United States for the purpose of obtaining additional stolen financial account information from other hackers, which he planned to use and sell for his own profit. When he was arrested a few hours after his arrival at John F. Kennedy International Airport, Secret Service agents seized his encrypted laptop computer, which contained financial account data and personal identifying information for thousands of individuals that he had allegedly obtained by hacking into various computer systems. One of the victims included FedComp, a data processor for federal credit unions. As a result, the defendant was able to gain unauthorized access to the data of various federal credit unions.
As reported previously on DataBreaches.net, Poo had been indicted in November 2010. Court filings at the time indicated that the encrypted laptop in his possession contained 400,000 icredit card, debit card and bank account numbers, and that was not the full extent of his hacking.
With respect to FedComp, the DOJ filing noted that the seized computer also contained evidence of the FedComp hack:
By hacking into the FedComp system, the defendant had unauthorized access to the data of the Firemen’s Association of the State of New York Federal Credit Union and the Mercer County New Jersey Teachers’ Federal Credit Union, among other victims.The defendant also admitted to compromising the computer networks of several major international banks and companies, and admitted earning money by finding and exploiting network vulnerabilities or trading and selling the information contained therein.
As also previously reported on DataBreaches.net, in April 2010, FedComp reported a breach to some states, although the breach did not result in any media coverage at the time. That breach report indicated that FedComp had “recently” become aware of a breach that had occurred in 2007. It is not clear whether there is any connection between the 2007 incident and Poo as the DOJ filing does not provide dates of the alleged hacking incidents.