Skip to main content

This frame grab of the PBS website shows a screen that appeared Monday, May 30, 2011, as PBS officials confirmed early Monday on its official Twitter account that the website had been hacked.The Associated Press

A suspected member of the clandestine hacking group LulzSec was arrested in Arizona on Thursday on charges of taking part in an extensive computer breach of the Sony Pictures Entertainment film studio, the FBI said.

A federal grand jury indictment returned this month and unsealed on Thursday charges Cody Kretsinger, 23, with conspiracy and the unauthorized impairment of a protected computer in connection with the attack in May and June.

The nine-page indictment said Mr. Kretsinger and co-conspirators obtained confidential information from Sony Pictures' computer systems using an "SQL injection" attack against its website, a technique commonly used by hackers to exploit vulnerabilities and steal information.

The organization had bragged of accessing more than 1 million accounts, but Sony, whose offices are in Culver City, Calif., later said about 37,500 users had personally identifiable information stolen.

Mr. Kretsinger, who went by the moniker "recursion," helped post information he and his co-conspirators stole from Sony on LulzSec's website and announced the intrusion via the hacking group's Twitter account, the indictment said.

The extent of damage caused by the breach of the studio's computer network remains under investigation, the FBI said.

LulzSec, an underground group also known as Lulz Security, at the time published the names, birth dates, addresses, e-mails, phone numbers and passwords of thousands of people who had entered contests promoted by Sony.

"From a single injection we accessed EVERYTHING," the hacking group said in a statement at the time. "Why do you put such faith in a company that allows itself to become open to these simple attacks."

Hackers previously had accessed personal information on 77 million PlayStation Network and Qriocity accounts, the vast majority of which were users in North America and Europe, in what was then the biggest such security breach in history.

Mr. Kretsinger, in an initial court appearance in Phoenix on Thursday, was ordered released on his own recognizance by U.S. Magistrate Judge Lawrence Anderson.

But as a condition of his release, Mr. Kretsinger was barred from using a computer to access the Internet except at his place of employment, or from traveling to any states other than Arizona, California and Illinois.

Other high-profile firms targeted by cyber attacks included Lockheed Martin and Google Inc.

Sony officials declined comment on Thursday's arrest.

LulzSec is reputed to be affiliated with the international hackers collective called Anonymous, which has claimed responsibility for cyber attacks on government and private institutions around the world.

Mr. Kretsinger faces a maximum sentence of 15 years in prison if convicted.

The government is requesting that he be removed to Los Angeles, where Sony Pictures' computer system is located and where the case against him has been filed.

Interact with The Globe