US federal authorities said they had arrested Justin Sean Johnson in Detroit, Michigan, on charges associated with the 2014 hacking of a human resources database at the University of Pittsburgh Medical Center and thrown the book at him.
In a 43-count indictment returned last month and just unsealed [PDF], Johnson is charged with multiple counts of conspiracy, wire fraud, and aggravated identity theft for his alleged role in the theft of personal information associated with 65,000 employees from the medical center's PeopleSoft system.
"Justin Johnson stands accused of stealing the names, Social Security numbers, addresses and salary information of every employee of Pennsylvania’s largest health care system," said Scott W. Brady, US Attorney for the Western District of Pennsylvania, in a statement.
Brady said Johnson sold the personal data he obtained on dark web markets \between 2014 and 2017. The buyers of this data, according to the indictment, then submitted false tax returns to the IRS to obtain $1.7m in unauthorized federal tax refunds.
These dark web customers asked that their refunds be issued onto Amazon gift cards, which were then used to purchase goods on the e-commerce site. Between February 27, 2014 and March 14, 2014, almost $886,000 worth of merchandise purchased at Amazon.com – such as Apple and Samsung mobile phones and other electronics – was sent to individuals in Venezuela through reshipping services in Miami, Florida. The goods were then resold via online marketplaces in South America.
In 2015, a Cuban national in Venezuela, Yoandy Perez Llanes, was indicted for defrauding the IRS using data obtained from UPMC. He was arrested and extradited to the US the following year. In 2017, he pleaded guilty and was sentenced to time served plus six months, then deported.
The Johnson indictment doesn't detail the specific means by which he obtained access to the PeopleSoft system, but it suggests he found a way in via online research. The indictment claims that he taught himself to be proficient with the application and "performed over 1,000 Google searches for the word 'PeopleSoft,' in order to uncover any vulnerability in the software."
The court filing further says that he stored his findings in Google Drive documents titled "PEOPLESOFT PERMISSIONS" and "Super User."
According to the indictment, Johnson on several occasions "infiltrated the content server of the HR database at UPMC by use of the TOR network and queried the personal information of employees."
20 months behind bars for IT support worker who nicked £30k worth of crypto-cashREAD MORE
The Register asked UPMC whether it would provide more details about the vulnerability or mechanism that allowed access to its database. A UPMC spokesperson did not answer the questions we asked but instead replied with an emailed statement thanking federal investigators:
"We appreciate the diligent and thorough work of the US Attorney’s Office for the Western District of Pennsylvania, Internal Revenue Service, US Secret Service, US Postal Inspection Service, Department of Homeland Security Office of Inspector General and all authorities who contributed to solving this case."
The organization's reluctance to explain the vulnerability that enabled the theft of its data may be because it faces a lawsuit from employees seeking millions in monetary damages. The plaintiffs claim UPMC was negligent for failing to encrypt the data, to maintain an effective firewall, and to implement a robust authentication system.
Since 2014, UPMC has argued it isn't liable for losing the data, a position lower courts supported. But in November 2018, the Pennsylvania Supreme Court issued an opinion to the contrary, finding that employers do have a duty to safeguard employee data.
That ruling led to the reinstatement of the employee lawsuit through which the claim of negligence will now have to be evaluated by the court hearing the case.
The Pennsylvania Supreme Court's effort to hold businesses accountable for their data handling could be undone if weaker federal rules get passed. In February 2018, a federal data protection bill that prompted 32 State Attorneys General to co-sign a letter expressing concern that the proposed national legislation would preempt stronger state rules.
The "“Data Acquisition and Technology Accountability and Security Act" appears to have gone nowhere, but this isn't the first time State AGs have had to urge federal lawmakers not to water-down state consumer protections. The National Association of Attorneys General, aptly known as NAAG, penned similar letters to Congress in 2005 and 2015. ®