Former Students Indicted for Computer Hacking at University of Central Missouri

KANSAS CITY, MO—Beth Phillips, United States Attorney for the Western District of Missouri, announced today that two former students of the University of Central Missouri (UCM) have been indicted by a federal grand jury for their roles in a computer hacking conspiracy.

“Two students sought to victimize thousands of students and others associated with the University of Central Missouri,” Phillips said, “but fortunately, their computer hacking scheme was discovered and their attempt to profit from it was thwarted. We appreciate the diligence of university officials, who immediately notified the victims when the breach was discovered, and have cooperated fully with our investigation.”

Joseph A. Camp, 26, and Daniel J. Fowler, 21, of Kansas City, Mo., were charged in a seven-count indictment returned under seal by a federal grand jury in Kansas City, Mo., on Thursday, Nov. 18, 2010. The indictment was unsealed and made public today upon Fowler’s arrest and initial court appearance.

Today’s indictment alleges that Camp and Fowler worked together in a computer hacking scheme while they were both students at UCM during the fall 2009 semester. They allegedly used Fowler’s room on the UCM campus as their base of operations from October to December 2009.

Camp and Fowler gained unlawful and unauthorized access to the UCM computer network, the indictment says, which allowed them to view and download large databases of faculty, staff, alumni, and student information; to transfer money to their student accounts; and to attempt to change grades. They allegedly sought to profit by selling lists of the personal information of faculty, staff, alumni, and students to others.

According to the indictment, Camp and Fowler developed a computer virus, which they used to infect UCM computers—including an attempt to infect the computer used by the university’s president. They allegedly used several strategies to infect computers, such as offering to show vacation photographs on a thumb drive that contained the virus, or sending out e-mails with the virus hidden in an attachment. The indictment also alleges that they manually installed the virus on several UCM computers in public areas, such as computer labs and the library. Once the virus was successfully installed on a computer, the indictment says, Camp and Fowler could obtain remote access to the computer, capture a user’s keystrokes and download any of the user’s files.

For example, the indictment says, Camp and Fowler used a thumb drive to download and install the virus on at least one university administrator’s computer. They allegedly monitored the administrator’s computer activity and captured his username and password. They used their remote access of this administrator’s computer to remotely turn on the webcam to watch and photograph the administrator sitting at his desk in his office, the indictment says, and to download his e-mails. They also obtained the username and password of a residence hall director, according to the indictment, and used that information to exploit the university’s computer system to conduct financial transactions, in an attempt to unlawfully credit their student accounts with UCM funds.

In December 2009, Camp allegedly contacted an individual in New York and offered to sell the personal information of thousands of people that he and Fowler had obtained from UCM. Camp offered to sell 90,000 identities for $35,000, according to the indictment.

When their activities were discovered by law enforcement, the indictment says, Camp and Fowler used the social media website Facebook.com to communicate threats and harass potential witnesses against them.

The indictment alleges that, after their hacking scheme was discovered, law enforcement officers executed a search warrant on Fowler’s university dorm room while Camp was in New York. Officers discovered that all of the computers had been removed from the room. According to the indictment, detectives found a post-it note on a remaining computer monitor, which read, “too late!” with a smiley face on it.

In addition to the conspiracy charge, Camp and Fowler are charged with one count of computer intrusion causing damage, one count of computer intrusion to further a fraud scheme, one count of computer intrusion to obtain information, one count of intercepting electronic communication, and two counts of aggravated identity theft.

Phillips cautioned that the charges contained in this indictment are simply accusations, and not evidence of guilt. Evidence supporting the charges must be presented to a federal trial jury, whose duty is to determine guilt or innocence.

This case is being prosecuted by Assistant U.S. Attorney Matthew P. Wolesky. It was investigated by the University of Central Missouri Police Department and the FBI.