Manhattan District Attorney Cyrus R. Vance, Jr., today announced the indictment of SAM CHIHLUNG YIN, 34, for accessing and tampering with the corporate computer network of Gucci America, Inc. ("Gucci"), the Manhattan-based American affiliate of the Italian luxury goods retailer. YIN, who had been previously terminated by Gucci as a network engineer, used an account he secretly created during his tenure at Gucci to access and control the company's computer system, shutting down some of its servers and networks, and deleting data from others. He is charged in a 50-count indictment with Computer Tampering, Identity Theft, Falsifying Business Records, Computer Trespass, Criminal Possession of Computer Related Material, Unlawful Duplication of Computer Related Material, and Unauthorized Use of a Computer.[1]

"Computer hacking is not a game. It is a serious threat to corporate security that can have a devastating effect on personal privacy, jobs, and the ability of a business to function at all," said District Attorney Vance. "This Office's Cybercrime and Identity Theft Bureau is committed to preventing and prosecuting crimes such as the one charged in today's indictment."

According to documents filed in court, Gucci, whose American corporate headquarters are located on Fifth Avenue in Midtown Manhattan, provides employees with remote access to its virtual private network ("VPN") by attaching a USB-sized token to a computer. While employed as a network engineer, YIN secretly created a VPN token in the name of a fictional employee. After being fired by Gucci in May 2010 for unrelated reasons, YIN took the VPN token with him. In June 2010, YIN emailed members of the Gucci's IT Department using the fictional identity and tricked them into activating his VPN token. In the months that followed, using the VPN token, YIN exploited his familiarity with Gucci's network configuration and administrator-level passwords to gain nearly unfettered access to Gucci's network. As a result, Gucci lost access to documents and e-mail for nearly 24 hours, while other documents and emails were deleted permanently. This intrusion cost Gucci more than $200,000 in diminished productivity, restoration and remediation measures, and other expenses.

On November 12, 2010, YIN accessed Gucci's network through the VPN for a two-hour period. During that time, YIN deleted several virtual servers, shut down a storage area network, and deleted a disk containing the corporate mailboxes from an e-mail server. As a result, Gucci staff was unable to access any documents, files, or other materials saved anywhere on its network. Additionally, YIN's destruction of data from the e-mail server cut off the e-mail access not only of corporate staff, but also of store managers across the country and the e-commerce sales team – resulting in thousands of dollars in lost sales. Gucci's IT staff was unable to restore system operations until the end of the business day, and the lingering effects of the intrusion continued to impose costs on the company in the weeks and months that followed.

The case is being prosecuted by Assistant District Attorney Ehren Reynolds, under the supervision of Assistant District Attorneys David Szuchman, Chief of the Cybercrime and Identity Theft Bureau, and Jeremy Glickman, Deputy Chief of the Cybercrime and Identity Theft Bureau. Investigative Analyst Michelle Moy assisted in the investigation, as well as Senior Forensic Examiner Richard Brittson. The District Attorney's Investigation Bureau assisted in the investigation, under the supervision of Chief John Bilich.

District Attorney Vance thanked Brian Parr, Special-Agent-in-Charge of the New York Field Office of the United States Secret Service, and the New York/New Jersey Electronic Crimes Task Force ("ECTF"), particularly Assistant to the Special Agent in Charge Ari Baranoff, supervisor of the ECTF, and Special Agent Timothy Desrochers, lead investigator in the case, for their assistance in the investigation.

District Attorney Vance also thanked the members of the Gucci MIS staff for their assistance in the investigation.

Defendant Information:

Jersey City, NJ


Computer Tampering in the First Degree, Class C felony, 1 count
Identity Theft in the First Degree, Class D felony, 2 counts
Identity Theft in the Second Degree, Class E felony, 11 counts
Computer Tampering in the Third Degree, Class E felony, 2 counts
Computer Trespass, Class E felony, 6 counts
Falsifying Business Records in the First Degree, Class E felony, 2 counts
Criminal Possession of Computer Related Material, Class E felony, 10 counts
Unlawful Duplication of Computer Related Material, Class E felony, 2 counts
Computer Tampering in the Fourth Degree, Class A misdemeanor, 4 counts
Unauthorized Use of a Computer, Class A misdemeanor, 10 counts

A class C felony in punishable by up to 15 years in prison, a class D felony is punishable by up to 7 years in prison, and a class E felony is punishable by up to 4 years in prison, and a class A misdemeanor is punishable by up to 1 year in jail.