AKRON, OH — A 21-year-old Canton, Ohio resident is facing federal charges in the U.S. District Court for the Northern District of Ohio after allegedly weaponizing malicious code to systematically harvest the personal information of approximately 300,000 individuals from a public-facing county court records platform.
The defendant, Michael Rogers, has been formally charged via criminal information with computer fraud and the destruction of records. The use of a criminal information filing signals that the defendant has waived his right to a grand jury proceeding, a procedural step that heavily indicates an intent to enter a guilty plea. An arraignment is scheduled for July 30.
The Attack Vector: SQL Injection & IP Masking
According to federal court records, Rogers targeted the public-facing portal that aggregates data from Stark County’s three municipal courts and the county common pleas court between January and October 2024.
The prosecution's case outlines a highly coordinated data-harvesting operation:
- The Vulnerability: Rogers deployed an SQL injection attack—a technique that exploits input vulnerabilities to insert malicious command strings directly into a website’s backend database.
- Automated Scraping: The custom code executed automated queries, extracted consumer profiles, and instantly transferred the records to a local database stored on Rogers’ computer hardware.
- Evasion Tactics: To prevent detection and bypass firewalls, Rogers utilized IP-masking tools to make the high-volume data requests appear as though they were originating from multiple separate computers.
- Evidence Destruction: Following the launch of an FBI cyber investigation, Rogers allegedly destroyed a computer, a cellphone, and two electronic storage drives to conceal evidence.
What Was Compromised
Local court administrators confirmed that the automated scraping was entirely confined to the public-facing interface.
- Data Fields Captured: The breach exposed individual names, dates of birth (DOBs), and vehicular license plate records.
- The Safeguard: Officials emphasized that the hacker never breached the court's core internal operating networks, and no Social Security numbers were compromised. Following the initial breach, a ransom demand for tens of thousands of dollars was sent to city officials via video, which the city's cybersecurity insurance carrier flatly refused to pay.
Corporate Connection & Operational Fallout
The federal investigation revealed that this was not an isolated incident. In 2023, Rogers successfully used the exact same SQL injection technique to compromise an unnamed multinational corporation based in Connecticut, successfully stealing the names, employee identification numbers, and passwords of roughly 150,000 corporate employees.
In the wake of the exposure, the Stark County clerks of courts took immediate steps to secure their data supply chain. The county completely terminated its contract with the third-party software vendor managing the registry, moving all database infrastructure and security updates directly under internal management.
The BKI Takeaway
For Consumer Reporting Agencies (CRAs) and data wholesalers, this case highlights the mounting cybersecurity vulnerabilities embedded within public-facing judicial indices. As local courts continue to lock down networks against automated harvesting and malicious scraping vectors, the commercial screening supply chain faces an increasingly complex environment. This incident underscores exactly why courts nationwide are continuing to transition away from bulk open web lookups and aggressively pushing record verification behind protected, localized courthouse firewalls.
For an on-the-scene perspective on the federal charges and the defendant's response to the investigation, you can watch this Local News Segment on the Stark County Court Breach. This video covers the local community impact and the official statements from the prosecuting attorneys regarding the upcoming plea agreement.
