SAN FRANCISCO (CN) — Russian hacker Yevgeniy Nikulin is off the hook for $1.7 million in restitution a federal judge ordered him to pay four tech companies whose user databases he breached in 2012.
The Ninth Circuit overturned the award Wednesday, finding insufficient support for the amount of resources the companies claim to have spent trying to repair the damage Nikulin caused.
In 2020, a jury found Nikulin responsible for three data breaches in 2012 at LinkedIn, Dropbox and now-defunct social media platform Formspring, and stealing more than 100 million encrypted user passwords that he sold to associates.
Authorities arrested Nikulin in the Czech Republic in 2016 and extradited him to the U.S. in 2018 to face nine criminal counts of computer intrusion, causing damage to a protected computer, aggravated identity theft, trafficking and conspiracy. He pleaded not guilty in 2018 and went to trial in March 2020, though proceedings were suspended for several months due to Covid-19.
In July 2020, U.S. District Judge William Alsup sentenced Nikulin to 88 months in federal prison and ordered him to pay $1,734,000 in restitution: $1 million to LinkedIn — reduced from a requested $2 million — $514,000 to Dropbox, and $20,000 to Formspring. He also awarded WordPress parent company Automattic $200,000, though Nikulin was not charged for that intrusion because there was no evidence that he stole any user credentials.
On appeal, Nikulin argued that letters the companies had submitted to the court were inadequate to prove their losses, along with other evidence submitted by the government. “The difficulty here is there's just no facts,” his attorney Karen Landau told the panel comprising Chief U.S. Circuit Judge Mary Murguia, U.S. Circuit Judge Lawrence VanDyke, and U.S. Circuit Judge Sandra Ikuta.
The three judges agreed. “Although trial testimony and logs submitted at trial showed the extent of the victims’ responses to the computer intrusions, that evidence did not provide a basis for determining the costs incurred by the victims in mounting those responses,” the panel wrote in a brief order issued Wednesday.
But in upholding Nikulin’s 88-month prison sentence, the panel found Alsup’s conservative estimate that the company’s losses exceeded $550,000 to be reasonable, given the size of the companies and the nature of their response to the breaches. They concluded that Alsup was therefore not wrong to apply a sentencing enhancement.
Murguia is a Barack Obama appointee, while George W. Bush appointed Ikuta and Donald Trump appointed VanDyke.
Neither the Justice Department nor Landau immediately responded to requests for comment Wednesday.
Follow @MariaDinzeo
Subscribe to Closing Arguments
Sign up for new weekly newsletter Closing Arguments to get the latest about ongoing trials, major litigation and hot cases and rulings in courthouses around the U.S. and the world.
Additional Reads
-
-
Head of Vietnam’s parliament resigns amid corruption probe April 26, 2024