Adrian Lamo convicted for gaining unauthorized access to New York Times

Incident Date: February 2002
Incident Location: New York NY USA

Adrian Lamo pled guilty on January 8, 2004 to a count of unauthorized access to the New York Times internal computer systems. On February 26, 2002 Mr. Lamo penetrated a database containing the personal information of more than 3,000 New York Times editorial page contributors. He added his own contact information and listed himself as an expert in computer hacking.

Mr. Lamo began accessing the internal New York Times network using an improperly secured proxy server. Using this server as a launching pad for internal searches, he found the intranet homepage and an unprotected copy of a database that cataloged employees' names and Social Security numbers. "From what I've been able to tell, it was a backup database being used for research," Mr. Lamo reported.

This turned out to be useful information because the default account password for employees at the New York Times was the last four digits of the personís Social Security number. Mr. Lamo found an account with this default password that belonged to an administrator. With this identity he created his own privileged network account.

Mr. Lamo also set up five fictitious user accounts and passwords for the LexisNexis news service associated with the New York Times account. Over a three-month period, those five accounts were associated with more than 3,000 searches using LexisNexis. He was initially accused of generating more than $300,000 in LexisNexis service fees, but this figure was reduced to $18,500 at the time of his sentencing.

On July 15, 2004, Mr. Lamo was sentenced to six months of home confinement, two years of probation, and ordered to pay more than $64,900 in restitution to the New York Times.

As part of his plea agreement Mr. Lamo admitted responsibility for additional computer intrusions into organizations such as Excite@Home (May 2001), Yahoo! (September 2001), Microsoft (October 2001), MCI WorldCom (November 2001), SBC Ameritech (December 2001), and Cingular (May 2003).

Story Sources

Title: NYT Hacker Released on $250,000 Bond
Author: Elinor Mills Abreu
Date: 9/9/2003
Publication: Reuters
Publication Location: San Francisco CA USA
Publication URL:

Title: New York Times Internal Network Hacked
Author: Kevin Poulsen
Date: 2/26/2002
Publication Location:
Publication URL:

Title: Hacker Pleads Guilty in Manhattan Federal Court to Illegally Accessing New York Times Computer Network
Date: 1/8/2004
Publication: US Attorney Press Release
Publication Location: New York NY USA
Publication URL:

Title: NYT hacker Adrian Lamo gets home detention
Author: Paul Roberts
Date: 7/19/2004
Publication: PC World (IDG News Service)
Publication Location: USA
Publication URL:;1045798212;fp;2;fpid;1

Do you have additional information to contribute regarding this story? If so, please email with the details and source.

<-- Back to Authentication Story Index

[Home] [About Us] [News] [Research]

Copyright © 2016