The hacker, whose name was not revealed, was arrested after breaking into a server owned by financial ASP, Online Resources (ORCC) and attempting to extort money from one of ORCC's client banks, said Ray Crosier, the company's president and chief operating officer.
ORCC offers online banking, electronic payment and other financial services over the Internet to 525 financial institutions in the US, Crosier said. ORCC uses a two-stage system by which it allows customers of its client financial institutions to use its services. When registering for online accounts through their banks, users are sent to registration servers, with each financial institution that ORCC deals with having its own dedicated server. After registration is completed on the first server, all information and transactions are handled through a second server, Crosier said.
The hacker was able to break in to a registration server used by the client due to an unpatched security hole on the server, Crosier said, declining to release the name of the company whose data was stolen. Crosier also said that the situation with that client was unique among ORCC's customers as the configuration used on the server was customised and not present elsewhere at ORCC.
In early 2001, the hacker broke into the registration server and was able to grab customer records that included names, addresses and bank account numbers, Crosier said. Because only registration was handled on the server, however, the hacker was unable to commit fraud, move funds or gain access to data from other banks served by ORCC, he said.
In late 2001, the hacker sent an e-mail to ORCC's client bank, saying that he would post the data he had obtained if he was not paid $10,000, according to US Secret Service agent Brian Palma.
After negotiations between the FBI and the hacker, the Secret Service was able to track the hacker's e-mail messages and the hacker was arrested on 16 January, by Russian law enforcement.