A federal jury in the Northern District of Texas has convicted Michael Musacchio, a former logistics company executive, of violating the federal Computer Fraud and Abuse Act. The evidence presented at trial showed that Musacchio engaged in a conspiracy to hack into his former employer’s computer network to obtain confidential information for use in a competing business. This conviction comes on the heels of a new cybersecurity executive order issued by President Obama and provides a timely reminder of the serious threats that businesses face with respect to network security. It is also an example of federal law enforcement’s increased efforts to curb cyber misconduct.
According to a January 2013 indictment, Musacchio, two co-defendants, and other unindicted co-conspirators were involved in a conspiracy to illegally obtain proprietary and confidential information from their former employer, a logistics company operating in Texas and Tennessee (the “victim company”). Musacchio served as the victim company’s president and chief executive officer from 2000 through 2004. In 2004, Musacchio and his co-defendants began developing a competing logistics company. Musacchio became director, president, and chief executive officer of the newly formed competitor in 2005.
After leaving the victim’s employment, Musacchio conspired with two co-defendants – a senior network engineer and a high-ranking executive – to obtain unauthorized access to the victim company’s computer network. They used administrator level network credentials to obtain emails, budgets, financial reports, sales statistics, employee incentive plans, and other sensitive information contained in the email accounts of the victim’s president, vice president, and legal counsel. Even after Musacchio’s co-defendants left the victim’s employment, the three made arrangements to maintain their administrator credentials and developed a “backdoor” that allowed them to continue their unauthorized access to the network. In the three months after Musacchio became employed by the victim’s competitor in 2005, user accounts belonging to Musacchio were used to access the victim’s email servers approximately 3,000 times.
The jury convicted Musacchio of one count of conspiracy and two counts of violating the Computer Fraud and Abuse Act. He is scheduled to be sentenced June 2013. Musacchio’s co-defendants pleaded guilty to conspiracy charges prior to trial and are also awaiting sentencing.
Musacchio’s prosecution is an example of the federal government’s increased interest in preventing and prosecuting cybercrime. The conviction was the result of efforts by local cybercrime investigators, local prosecutors, and the DOJ’s Washington, D.C.-based Computer Crime and Intellectual Property Section. Businesses – and offenders – can expect similarly coordinated efforts in cybersecurity cases going forward. The case is also a reminder that businesses must be diligent in protecting the sensitive information they store and share on their computer networks. Haynes and Boone regularly advises clients on how to protect their cyberdata, including by immediately terminating former employees’ network access, requiring employees to frequently change their passwords, monitoring network access, and regularly scanning their networks for malware.