A 32-year-old Ukrainian man who stole millions of credit card details using SQL Injection and then sold them on the Internet has been sentenced in the United States to 69 months in prison, the same amount of time he has already served. He must also pay one affected victim $1.8 million in compensation.
According to US authorities, the suspect and his accomplices used ‘a hacking technique known as a “SQL Injection attack”‘ to gain unauthorized access to networks. Credit card details and other personally identifiable information were then stolen. The captured data was then sold on multiple online marketplaces. The money was laundered by the suspect.
The man, who lived in the US, was arrested at John F. Kennedy International Airport in New York in March 2019 and has been in custody since then. He pleaded guilty last September. In theory, the man could have received a prison sentence of decades. However, the judge decided to take his mental health into account, which deteriorated sharply in prison (pdf).
SQL Injection allows an attacker to execute SQL commands on a system, which is often possible because user input is not properly validated. SQL Injection is a problem that has been known since 1998, but still occurs because web developers program unsafely.
In short:
| Summary Point | Details |
|---|---|
| Offender | 32-year-old Ukrainian man |
| Crime | Stole millions of credit card details via SQL Injection |
| Sentence | 69 months in prison (time already served) |
| Compensation | $1.8 million to one affected victim |
| Key Facts | Arrested in March 2019; mental health considered in sentencing |
