Federal prosecutors arrested an AOL engineer this week and charged him with selling more than 93 million AOL email addresses to spammers. The 24-year-old employee was arrested at his home in West Virginia on Wednesday, and an accomplice, who brokered the email addresses to spammers, was arrested in Las Vegas, Nevada.
Both men were charged with violating a new federal antispam law, CAN-SPAM, which took effect January 1. Under the new law, the defendants could face 5 years in prison and fines of $250,000 or twice the loss from their activities, whichever is higher.
The AOL employee allegedly stole the identity of another AOL employee in 2003 to gain access to AOL's list of member screen names, which also includes private information such as telephone numbers, ZIP codes, and the types of credit cards customers use to pay AOL bills. The list doesn't, however, include the actual credit card numbers, which AOL stores in a separate database.
The employee sold the list to his accomplice, who, in turn, sold it to spammers for $52,000. The employee later sold another list for $100,000. He allegedly used the money to promote an Internet gambling site he created.
AOL originally discovered the theft during an unrelated investigation into a group of spammers and quickly identified the employee who had been stealing screen names. "We deeply regret what has taken place and are thoroughly reviewing and strengthening our internal procedures as a result of this investigation and arrest," the company said in a statement issued yesterday.