Page 3
Appeal in LASC Phishing Case Generates Three Opinions
Desai, Miller Say Person or Entity Targeted but Not Harmed Is Not a ‘Victim’ for Purpose of Enhancement, Drawing Dissent by Nelson; Desai Dissents as to Amount of Restitution to One Victim: Los Angeles Superior Court
By a MetNews Staff Writer
|
|
|
ORIYOMI SADIQ ALOBA cyberattacker
|
The Ninth U.S. Circuit Court of Appeals held yesterday, in a divided decision, that a District Court judge abused his discretion in imposing a sentence enhancement under a guideline that applies where there are 10 or more victims, holding that a targeted person or entity not suffering harm does not fall under the definition of a “victim.”
Circuit Judges Roopali H. Desai and Eric D. Miller said in a memorandum opinion that they counted only nine victims of a phishing scheme—one of which was the Los Angeles Superior Court (“LASC”). Circuit Judge Ryan D. Nelson dissented on that point, maintaining that the term “victim” encompasses anyone who is “deceived” or “fooled.”
The case spawned three opinions. A partial dissent was filed by Desai who disagreed with Miller and Nelson’s view that District Court Judge R. Gary Klausner of the Central District of California (a former LASC presiding judge) properly set the Superior Court’s loss and restitution amount at $45,484.31.
Phishing Scheme
Appealing his sentence was Oriyomi Sadiq Aloba, who was convicted in 2019 of 27 counts relating to the email phishing attack. In July 2017, Aloba and others used the compromised email of one LASC employee to send messages to other workers, purportedly from the file-hosting service Dropbox.
The email contained a link to a bogus website that asked for the user’s LASC login information. Thousands of employees received the message, and hundreds disclosed the requested data.
Those accounts were then used to send roughly 2 million phishing emails requesting the recipients’ credit card and banking information.
Some workers were goaded into turning over their financial information. The indictment does list the names of the affected employees.
After a jury found Aloba guilty, Klausner sentenced him to more than seven years in prison, a term that reflects an enhancement based on the scheme involving more than 10 victims. He set the restitution amount by calculating the hourly wages applicable for the time spent by court employees to deal with the breach.
Yesterday’s opinion vacates the sentence based on a finding that the enhancement should not have been imposed.
Number of Victims
Desai and Miller said:
“The district court abused its discretion by applying a two-level enhancement for 10 or more victims under U.S.S.G. § 2B1.1(b)(2)(A)(i). The record shows that Aloba caused actual financial loss to one individual and two entities—American Express and the LASC—and that he used the identification of six other individuals to send emails or attempt to charge their credit cards. We agree that all of those individuals and entities are victims, but there are only nine of them.”
They acknowledged that the term is not defined in the sentencing guidelines and turned for guidance to the application notes, which explained that a “victim” in an identity theft case includes “any person who sustained any part of the actual loss determined” as well as “any individual whose means of identification was used unlawfully or without authority.”
Following that definition, they wrote:
“Although the district court asserted that ‘there [we]re many, many more than ten victims, maybe 500 Los Angeles Superior Court employees,’ the court did not explain how it arrived at that figure. In particular, it did not explain how any of those employees suffered any harm (even harm to their privacy or reputation), sustained any actual loss, or had their means of identification used unlawfully….The district court therefore abused its discretion by applying the victims enhancement.”
Nelson’s View
Nelson objected to the majority’s reliance on the definition supplied by the application notes without first addressing the “ordinary tools of statutory interpretation.” He noted that “[d]ictionaries define ‘victim’ as the ‘target’ of a crime and any person ‘harmed’ by it,” and remarked that “[i]n the context of fraud, that includes anyone ‘deceived, fooled,’ or otherwise manipulated.”
He opined that “[t]hese definitions reflect ordinary usage,” pointing out that “[w]hen a hacker steals someone’s social security number or login credentials, ordinary English speakers call that person a ‘victim’ of identity theft.” Based on that view, he concluded:
“[T]he 127 employees whose email credentials were stolen are ‘victims.’….Besides spending time and energy recovering their identities, such individuals suffer ‘the gravest of concerns’ about their privacy, finances, and reputation.”
The judge objected to the majority’s “[j]ettisoning the plain meaning,” a decision that he said will “decrease[] Aloba’s recommended sentencing range by 12–16 months.”
Pecuniary Loss
Miller and Nelson noted that the Mandatory Victims Restitution Act requires a convict to pay for any “pecuniary loss” caused by his criminal actions. They wrote:
“The district court reasonably determined that the LASC suffered a pecuniary loss because it was deprived of valuable employee time that would have been spent on other projects in exchange for the salaries that the employees were paid. After Aloba’s attack, six senior IT employees and 40 desktop support staff spent approximately four weeks investigating the attack and resetting the compromised accounts….Aloba’s attack directly and proximately caused that productivity loss.”
Noting that “[h]ad the LASC hired an outside contractor to respond to Aloba’s offense, there would be no doubt that its payments to the contractor would constitute pecuniary harm,” they found no meaningful difference in allowing the employer to recover for the “productive work time that would have been spent on completing other projects for which they were hired and paid.”
Desai’s View
Disagreeing with the computation, Desai said:
“[T]he district court calculated a loss and restitution amount of $45,484.31 for the estimated time LASC IT employees and desktop support staff spent responding to Aloba’s attack. But LASC was already paying its employees’ wages for this work. The majority’s holding that it was nevertheless reasonable for the district court to calculate pecuniary harm because LASC ‘was deprived of valuable employee time that would have been spent on other projects,’…is unsupported by the law and the record.”
Commenting that the employees were performing “their ordinary duties that they were already paid to do: address cybersecurity issues and phishing attacks,” she argued:
“[B]y allowing restitution and a sentencing enhancement even when the victim did not identify specific monetary loss from the defendant’s conduct, the majority’s approach risks unintended consequences….Entities may now seek restitution for wages and employee salaries even if the employees continued performing their day-to-day tasks and did not divert their attention from revenue-generating work or otherwise cause their employer monetary loss.”
The case is U.S. v. Aloba, 22-50291.
Copyright 2025, Metropolitan News Company