Fraud Management & Cybercrime , ID Fraud
Hacker in UPMC Data Theft, Fraud Case Gets Maximum Sentences
Federal Judge Imposes 7-Year Prison Time in Human Resources Database Hack CaseA federal judge this week imposed the maximum sentences - a total of seven years in prison - on a hacker who earlier this year pleaded guilty in a conspiracy case involving the hacking of University of Pittsburgh Medical Center human resources databases and the theft of personally identifiable information of more than 65,000 employees - some which was then sold on the dark web and used for federal tax fraud.
See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries
The U.S. Department of Justice in a statement on Monday says Justin Sean Johnson - also known as "TheDearthStar" and "Dearthy Star" on the dark web - received the statutory maximum sentences of 60 months of incarceration for conspiracy to defraud the U.S. and 24 months for aggravated identity theft, for a total of 84 months of prison time in the UPMC case.
Johnson, formerly of Detroit, Michigan, in May pleaded guilty to conspiracy and aggravated identity theft. He was the fourth individual in the UPMC case to plead guilty (see: Fourth Guilty Plea in UPMC Hacking Incident).
He also received the stiffest sentence for his role in the case, compared with the other defendants.
'Bulldozer' Hacker
In imposing Johnson's sentence, U.S. District Judge Mark Hornak noted the severity of the hacker's crimes, "likening his behavior to a 'bulldozer' through people’s personal lives when he 'indiscriminately' hacked their PII," the Justice Department says in its statement.
“Information compromise and identity theft victimize not only the individuals whose information is stolen, but also threaten our collective global security," Timothy Burke, special agent in charge at the U.S. Secret Service Pittsburgh Field Office, says in the DOJ statement.
The case "sends a message to Justin Sean Johnson and anyone who seeks to conceal their criminal activity in cyberspace and on the dark web that there is no hiding place we cannot find,” Burke said.
Some experts not involved in the UPMC case agree that giving Johnson the maximum sentences - despite his guilty pleas - is notable.
The prosecution and sentencing in the UPMC case "sends a clear message about the seriousness of hacking crimes and cyber fraud," says attorney Michael Borgia, a partner at the law firm Davis Wright Tremaine.
"We’ve seen courts in both the civil and criminal contexts struggle with how to quantify the harm that results from hacking and cyber, and sometimes there has been a perception that these types of crimes are esoteric or even 'victimless' in a sense, and therefore not that serious," he says.
"This sentence sends a powerful message to the contrary - that this crime involved real peoples' sensitive data and caused actual harm in terms of lost money and time."
Aside from the criminal cases, UPMC in July reached a proposed $2.7 million settlement in a civil class action lawsuit filed by employee plaintiffs against the healthcare entity related to the data breach case (see: UPMC to Settle Breach Lawsuit for $2.7 Million).
UPMC did not immediately respond to Information Security Media Group's request for comment on the sentencing of Johnson.
Case Details
Prosecutors say Johnson "infiltrated and hacked" into the UPMC HR server databases in 2013 and 2014 and stole employee's PII and W-2 information, which he then sold on dark web forums for use by conspirators, who filed hundreds of false 1040 federal tax returns in 2014, using the UPMC employee information.
From 2014 through 2017, Johnson also stole and sold nearly 90,000 additional, non-UPMC sets of PII to buyers on dark web forums, which could be used to commit identity theft and bank fraud, the DOJ alleges.
The criminals filed fraudulent tax returns seeking approximately $2.2 million in refunds; about $1.7 million was actually disbursed, prosecutors say.
The proceeds from the fraudulent tax refunds were converted into Amazon gift cards and then used to purchase merchandise that was shipped to Venezuela, prosecutors say.
Co-Conspirators
Three others in 2017 pleaded guilty in connection with the UPMC incident (see: Medical Center Fraud Cases: 2 Indicted).
In July 2017, Maritza Maxima Soler Nodarse, a Venezuelan national, pleaded guilty to conspiracy to defraud the U.S. in connection with filing false U.S. federal tax returns using identities belonging to hundreds of UPMC employees. She was sentenced to 16 months of time served and deported to Venezuela (see: Second Fraudster Pleads Guilty in UPMC Breach Case).
In April 2017, Yoandy Perez Llanes, a Cuban national, pleaded guilty to money laundering conspiracy and aggravated identity theft. He was extradited to the U.S. from Venezuela in August 2016 and was sentenced in 2017 to six months of time served.
Prosecutors said Llanes laundered the money using Amazon.com gift cards that Nodarse and others used to purchase merchandise, which was then shipped to Venezuela and retrieved by Llanes, Nodarse and others.
The DOJ says that in April 2017, Justin A. Tollefson of Spanaway, Washington, an enlisted U.S Army staff sergeant at Joint Base Lewis-McChord in Tacoma, Washington, pleaded guilty to four counts of using stolen identities of UPMC employees to file four 2014 false federal income tax returns, collectively totaling approximately $56,000 in fraudulent refunds.