Guilty Plea in Drug Company HackProsecutors Say Georgia Man Froze Shionogi Computers
Jason Cornish pleaded guilty to a charge of knowingly transmitting computer code with the intent to damage computers in interstate commerce, according to the U.S. Attorney's Office for the District of New Jersey. The charge carries a potential maximum penalty of 10 years in prison and a $250,000 fine. Sentencing is slated for Nov. 10.
Prosecutors say Cornish, a former IT staff member at Japanese pharmaceutical company Shionogi Inc., which has U.S. offices in New Jersey and Georgia, hacked the firm's computers Feb. 3 using a wireless network connection at a McDonald's restaurant.
He gained unauthorized access to the company's computer network, used a user account to access a server and then took control of a piece of software that he had secretly installed on the server several weeks earlier. He then used that software to delete the contents of each of 15 virtual hosts on Shionogi's computer network. These 15 virtual hosts, subdivisions on a computer designed to make it function like several computers, housed the equivalent of 88 servers. Prosecutors say Cornish used his familiarity with the network to identify each of these virtual hosts by name or by its Internet Protocol address.
The deleted servers housed most of Shionogi's American computer infrastructure, including the company's e-mail and Blackberry servers, order tracking system and financial management software. The attack froze the company's operations for a number of days, leaving employees unable to ship products, cut checks or communicate via e-mail. The security incident led to about $800,000 in expenses for the company, including responding to the attack, conducting damage assessments and restoring the company's network, prosecutors say.
In speculating about a motive, prosecutors note that in late September 2010, shortly after Cornish had resigned from the firm, Shionogi announced layoffs that would affect one of Cornish's close friends.