THOMAS G. A. BROWN
Assistant United States Attorney
Before: HONORABLE DEBRA C. FREEMANUNITED STATES DISTRICT COURT
United States Magistrate Judge
Southern District of New York
SOUTHERN DISTRICT OF NEW YORK
UNITED STATES OF AMERICA,
- v. -
18 U.S.C. §§ 1030(a)(5)(A)(i)
OFFENSE: NEW YORK
SOUTHERN DISTRICT OF NEW YORK, ss.:
STEPHEN P. GALLO, being duly sworn, deposes and states that he is a SpecialAgent of the Federal Bureau of Investigation (“FBI”), and charges as follows:COUNT ONE
1. From on or about October 31, 2004, up to and including on or aboutNovember 1, 2004, in the Southern District of New York and elsewhere, JUSTIN EHRLICH, thedefendant, unlawfully, willfully, and knowingly, caused the transmission of a program,information, code and command, and as a result of such conduct, intentionally caused damage,without authorization, to protected computers, causing loss to one and more persons during aone-year period aggregating at least $5,000 in value, to wit, EHRLICH, without the knowledgeor authorization of StaffIT, Inc. (“StaffIT”), accessed StaffIT’s computer network system andexecuted computer commands that, among other things, deleted electronic mail messages inStaffIT’s computer network in New York, New York.
(Title 18, United States Code, Sections 1030(a)(5)(A)(i), 1030(a)(5)(B)(i).)
The bases for my knowledge and for the foregoing charges are, in part, asfollows:
2. I am a Special Agent with the FBI, and I have been involved personally inthe investigation of this matter. I am familiar with the facts and circumstances set forth below
from my personal participation in the investigation, including interviews I have conducted, myexamination of reports and records, and my conversations with other law enforcement officers.Because this affidavit is being submitted for the limited purpose of establishing probable cause,it does not include all the facts that I have learned during the course of my investigation. Wherethe contents of documents and the actions, statements and conversations of others are reportedherein, they are reported in substance and in part.
3. I have spoken with a representative of StaffIT ("the StaffITRepresentative"), who told me the following:
a. StaffIT is a technology services company which primarily recruitsand places technology staff, such as computer programmers, at client companies in New York,New Jersey, and Connecticut, among other places. StaffIT has approximately 6 to 8 employees,and has its principal place of business in Manhattan, New York.
b. StaffIT maintains an electronic mail (“e-mail”) system situated ona network of computers which are located at StaffIT’s offices in Manhattan, New York. The emailsystem allows StaffIT employees to communicate with each other and with individualsoutside the office, including potential technology staff recruits, as well as existing andprospective client companies. Individual StaffIT employees have e-mail accounts which areindividually accessible via usernames and passwords assigned to them. StaffIT’s email systemcan be accessed remotely from outside StaffIT’s offices. Only two employees, however, theChief Executive Officer of StaffIT and the StaffIT Representative, are authorized to do so.
c. StaffIT hired JUSTIN EHRLICH, the defendant, in or about July2004, as a salesperson. According to his employment application, EHRLICH lived at [Redacted by FindLaw]69th Avenue, Forest Hills, New York 11375 and a telephone number of 718-[Redacted by FindLaw].EHRLICH’s main responsibility was to generate new business by making unsolicited telephonecalls to prospective client companies. In connection with his employment, EHRLICH wasissued a username and password which allowed him, among other things, to access the StaffIT emailaccount issued to him. EHRLICH did not have access to any other StaffIT employees’ emailaccounts, nor did he have authority to remotely access StaffIT’s e-mail system.
d. The StaffIT Representative stated that EHRLICH did not meet histelephone call goals, made an excessive number of personal calls, and became less thanoptimally productive. Accordingly, after StaffIT employees repeatedly discussed withEHRLICH his poor performance between in or about August 2004 and in or about October 2004,the company decided to terminate EHRLICH’s employment on or about October 31, 2004.
e. The StaffIT Representative informed EHRLICH that hisemployment was terminated in a telephone call at or about 6 p.m. on October 31, 2004.At or about that time, the StaffIT Representative also remotely accessed his (the StaffITRepresentative’s) electronic mail account from his residence and noted that he had received a2
number of electronic mail messages from StaffIT client companies and technology staffersseeking employment through StaffIT.
f. On the morning of the next day, November 1, 2004, the StaffITRepresentative again accessed his electronic mail account – this time at StaffIT’s offices – anddiscovered that several of the electronic mail messages that he had reviewed the night beforewere now missing. With the assistance of other StaffIT employees, the StaffIT Representativereviewed records which reflected access to his e-mail account and learned that
i. a particular internet protocol address1
18.104.22.168 (the “IPAddress”),
had successfully accessed his StaffIT electronic
mail account using the StaffIT Representative’s
username and password approximately 31 times
or about October 31, 2004, and approximately
470 times between at or about 7:55 p.m.
and 11:33 p.m. onor about 12:03 a.m. and
8:40 a.m. on or about November 1, 2004.
ii. the IP Address had also successfully
accessed his StaffIT electronic mail account using
the StaffIT Representative’s username and password
a total of approximately 188 times between
October 3, 2004 and October 13, 2004.
g. The StaffIT Representative changed his e-mail password at approximately8:40 a.m. on November 1, 2004. From that time up to November 9, 2004 (the date of the latestrecords that are currently available), the IP Address unsuccessfully attempted to access theStaffIT Representative’s e-mail account a total of approximately 248 times.
4. I have reviewed records from StaffIT which reflect access to the StaffIT’se-mail system by the IP Address. In addition to the successful and unsuccessful attempts by theIP Address to access the StaffIT Representative’s e-mail account discussed above, I have learnedthat the IP Address successfully accessed EHRLICH’s StaffIT’s e-mail account approximately109 times between at or about 8:27 a.m. and 8:33 a.m. on November 1, 2004. I further learnedthat the IP Address unsuccessfully attempted to access EHRLICH’s StaffIT e-mail accountapproximately 13 times between at or about 8:33 a.m. and 8:34 a.m. on November 1, 2004.
5. I have reviewed records obtained from a company which provides internetaccess and learned that the IP Address corresponds to a cable modem account subscribed to by aJustin Ehrlich at [Redacted by FindLaw] 69th Avenue, Apt. 519, West Wing, Flushing, New York 11375-3312,with a home telephone number of 718-[Redacted by FindLaw]. – the same address and telephone number whichEHRLICH listed in his employment application with StaffIT (see paragraph 3(c) above). I
-------------------------------------------------- 1 An internet protocol address is a unique numerical address assigned to a particularcomputer that is connected to the Internet during a given session.
further learned that the subscription was opened on September 10, 2003 and was still active as ofNovember 17, 2004. Based on my experience and training, I know that cable modems, whichare devices by which users can gain access to the internet, are typically associated with “static”internet protocol addresses. That is, the same internet protocol address is assigned to the cablemodem each time it is used to access the internet. Further, I know from my training andexperience that cable modems are typically fixed in one particular physical location.
6. According to the StaffIT Representative, StaffIT has incurred a number ofimmediate costs as a result of the above-described unauthorized access to it’s e-mail system anddeletion of e-mails. Among other things, StaffIT was forced to retain the services of an outsidetechnical consultant to install new security software, change the existing passwords for thecompany, review e-mail logs and check StaffIT’s computers for other security intrusions. Inaddition, the unauthorized access to StaffIT’s e-mail system and deletion of e-mails has absorbedthe time and attention of StaffIT employees and senior executives, including the CEO.According to the StaffIT Representative, the damages to StaffIT’s business as a direct result ofthe attack, including the time, effort and out-of-pocket expenses required to address theunauthorized intrusion and restore StaffIT’s computer security, exceed $5,000.2
WHEREFORE, deponent prays that an arrest warrant be issued for JUSTINEHRLICH, the defendant, and that he be imprisoned or bailed as the case may be.
Sworn to before me this
STEPHEN P. GALLO
FEDERAL BUREAU OF INVESTIGATION
29th day of November, 2004
UNITED STATES MAGISTRATE JUDGE
SOUTHERN DISTRICT OF NEW YORK
2 This amount does not includ losses suffered by StaffIT resulting from lostbusiness opportunities and damage to customer relations as a consequence of the missing emails.
Source: U.S. Dept. of Justice