A 34-year-old San Francisco man was arraigned on April 11 in federal District Court for the Sept. 17, 2015 hacking of Palo Alto Online and other websites operated by Embarcadero Media.
Ross M. Colby was charged by a federal grand jury in a sealed five-count indictment last Thursday, April 6, following an 18-month investigation by the FBI’s Computer Hacking and Intellectual Property unit in San Jose. The indictment was unsealed on April 11.
At the arraignment Colby entered a plea of not guilty, posted a $50,000 bond and was released. He was represented by Palo Alto criminal defense attorney Vicki Young and will appear before U.S. District Judge Lucy Koh in San Jose for a status conference on May 24.
Colby, of San Francisco, is charged with one felony for intentional damage to a protected computer, another for attempted damage to a protected computer and three misdemeanors for obtaining information from a protected computer. If convicted, the two felonies carry maximum sentences of 10 years imprisonment and $250,000 in fines.
The indictment alleges that Colby gained access to the corporate Google email account of an Embarcadero Media employee in July 2015 and then used information to cancel four domain names and change the company’s email exchange records to redirect email.
The charges contained in the indictment are merely accusations, and the defendant is presumed innocent unless and until proven guilty.
On the evening of Sept. 17, 2015, all of the websites operated by Embarcadero Media were taken over and all content removed. The home pages were replaced with an image of Guy Fawkes and a message stating the sites had been hacked because Embarcadero had “failed to remove content that has been harmful to the wellbeing and safety of others” and threatened that “Failure to honor all requests to remove content will lead to the permanent shutdown of all Embarcadero Media Group Websites.”
The URL header on each website stated: “Unbalanced journalism for profit at the cost of human right. Brought to you by the Almanac.”
The Guy Fawkes mask has been associated with the hacktivist group Anonymous.
The Almanac, serving Menlo Park, Portola Valley, Woodside and Atherton, is one of Embarcadero Media’s four newspapers. The company, which is headquartered in Palo Alto, also publishes the Palo Alto Weekly, Mountain View Voice, the Pleasanton Weekly and websites in each community.
The company’s IT staff was able to regain control over the sites and shut them down within an hour of the hack so they were no longer accessible to the public, but it took almost a full day to restore the content from back-ups and bring the sites back up.
The Palo Alto Police Department conducted a precautionary search of the company’s offices at 2 a.m. on the night of the hacking, and the FBI began an immediate investigation and secured company computer records and logs later that day.
According to Embarcadero Media President Bill Johnson, the damage went far beyond the unauthorized access to and seizure of the websites. Many internal company computer records, including all employee user accounts and client account information and billing records, were erased, Johnson said. Fortunately, the company’s back-up systems made it possible to restore all the information over the following week.
The indictment offers no clues as to Colby’s possible motivation or connection to The Almanac or Embarcadero Media.
Colby attended Wentworth Institute of Technology in Boston, Massachusetts, his father, John Colby, confirmed Wednesday. He was raised in Athol, Massachusetts, a small town of about 11,300 persons in northwestern Massachusetts.
According to his LinkedIn page, Colby claims to be a software researcher and developer at EMC2, now a subsidiary of Dell Technologies.
Dell EMC has offices throughout the Bay Area, including in the Stanford Research Park, according to its website.
Company spokeswoman Lauren Lee said that Dell does not employ anyone by Colby’s name.
Colby could not be reached for comment. His father said on Wednesday that he did not know anything about the indictment or his son’s arrest.
Young, Colby’s attorney, did not return a request for comment.
Related content:
Your IT staff must rock to get things back online and cleaned up as quickly as they did. Glad they finally arrested someone.
Was any personal customer information stolen in this attack (real names, addresses, phone numbers, credit card numbers, IP addresses, browsing history, etc.)???
We are so glad that PaloAltoOnline allows people to read the articles without logging in. Because of poor security at so many of these websites, I never give up private information when I don’t have to.
Regarding the vulnerability of personal information stemming from the 2015 hack, here is the text of the letter sent to all registered users of our sites after the attack. The information it contained is still valid:
Dear Registered User:
Last Thursday night, September 18, Embarcadero Media was the victim of a cyber attack that took all of our websites down and replaced all content with an image and a message accusing one of our newspapers, The Almanac (covering Menlo Park, Atherton, Portola Valley and Woodside,) of failing “to remove content that has been harmful to the well-being and safety of others.”
Though the image and some of the language in the message mimic that of the online hacking group Anonymous, which has taken credit for several major cyber attacks in recent years, no one has taken responsibility for the attack nor made any recent request that any content be removed.
Neither we nor law enforcement authorities have any reason to believe the Anonymous group was responsible, nor do we have any idea of the reason our websites were targeted. You can read our story on the attack at http://www.paloaltoonline.com/news/2015/09/18/palo-alto-weekly-website-back-online-after-cyber-attack
The digital vandalism was detected immediately and our technology team was able to restore our websites (PaloAltoOnline.com, AlmanacNews.com, MountainViewOnline.com, PleasantonWeekly.com and DanvilleSanRamon.com) at approximately 6 p.m. on Friday, September 19.
A database of registered users and their passwords were stored on a different server that shows no evidence of having been accessed or hacked, and we have no reason to believe it was penetrated by the perpetrators. However, we can’t say with certainty that this didn’t occur, and therefore your user name and password, along with limited additional information you may have provided when registering, could have been compromised. That additional information was optional when you registered, except for your birth year (in order for us to comply with federal laws requiring we not allow youth under age 13 to register.) If you chose to, it could have included your first and last name, street address, phone number, birth year, gender, home zip code and work zip code.
We do not store the credit cards or other financial information of our subscribers or registered users on any of our servers, so that information is not at risk.
Though we have no reason to believe your user information was accessed, we recommend that you change your password by logging in on the home page of the site you registered with (or on multiple sites if you have multiple user accounts) and then clicking on your name, and then on the word “edit” by the blank password box. If you can’t remember your password, you can enter your user name (which could be either an email address or a name) and click on “Forgot Password.” Many people think they are registered users when they actually are not, so you may receive a message that you can’t be found in our database. If you think that message is in error, please email our IT director at fbravo@embarcaderopublishing.com and we’ll attempt to find your record.
I have attached a document that explains more about how to change your password.
If you used the same username or password for other purposes, for example to log into email or to access online banking services, or believe the information you gave us when registering your account could be used to answer security questions for those accounts, we recommend you change those login credentials as well.
We are working closely with local and federal law enforcement to investigate the attack and they are hopeful of apprehending the perpetrator.
Ironically, we have been preparing for a major upgrade and modernization of our user authentication system that was planned for implementation next month. We will be back in touch once the new system is ready so our users can establish new accounts.
Thank you for your patience and understanding. We sincerely apologize for the inconvenience this may have caused you.
Sincerely,
Bill Johnson
President
I assume if it goes to jury trial, none of us will be eligible.
I hope this loser gets more than a mere slap on the wrist, sending the message that computer hacking isn’t just fun and games for teenage boys. 10 years in jail isn’t asking too much.
Make an example of him. 10 years is not enough.
Let Michelle Dauber pick the judge.
Discourage others from hacking
The article says this website was allegedly targeted because of certain material that was posted here. What exactly is that material? Is it still online?
@resident,
We were never able to determine what story, if any, this message referred to. We had not received any request for the removal of any content in The Almanac. So it remains unclear whether this was anything more than a threat designed to intimate.
Can we donate to his defense fund?
@Bill Johnson: I doubt the intention was to um, intimate :-).
Good catch Stew Pid. I could go in and correct it, but that would take away the intimacy of the discussion.
Isn’t EMC the Evil Machine Corporation?