The Man Who Has Stolen the PII of 65k Employees of UPMC Pleads Guilty
The Hacker Will Spend a Minimum of Two Years in Jail and Owes up to $250,000 in Fines.
Justin Sean Johnson has pled guilty to hacking into University of Pittsburgh Medical Center (UPMC) human resource databases and stealing the Personally Identifiable Information (PII) of more than 65,000 employees.
According to investigators, Johnson, also known on the dark web as ‘TheDearthStar’ and ‘Dearthy Star’ stole the information and then sold it on the dark web so others could use it to file false tax returns, identity theft, and bank fraud.
Following Johnson’s arrest, the U.S. Attorney Brady declared in a press release issued in June 2020:
Justin Johnson stands accused of stealing the names, Social Security numbers, addresses, and salary information of every employee of Pennsylvania’s largest health care system.
After his hack, Johnson then sold UPMC employees’ PII to buyers around the world on dark web marketplaces, who in turn engaged in a massive campaign of further scams and theft.
The University of Pittsburgh Medical Center (UPMC) is a $21 billion integrated global nonprofit health enterprise that has 90,000 employees, 40 hospitals with more than 8,000 licensed beds, 700 clinical locations including outpatient sites and doctors’ offices, a 3.8 million-member health insurance division, as well as commercial and international ventures.
In the first instance, the attacker got into UPMC’s human resources database network at the beginning of December 2013 by gaining unauthorized access to the organization’s Oracle PeopleSoft human resource management system.
He gained access to the personally identifiable information (PII) of approximately 23,500 UPMC staff after performing a test inquiry on the impacted HR database.
For almost a month, he kept accessing the database several times every day remotely to withdraw the PII of tens of thousands of University of Pittsburgh Medical Center employees.
Following the attack, the man sold the stolen information on dark web marketplaces to people who used it to fraudulently file Form 1040, 1040, and 1040EZ federal income tax returns.
According to an indictment filed in 2020, the bogus tax refunds – a total of $1.7 million in unauthorized federal tax returns – were later changed into Amazon gift cards utilized to purchase Amazon goods that got sent to Venezuela via Miami reshipping services.
Aside from selling the private information of 65,000 workers from UPMC’s breached HR databases, the attacker also stole and sold almost 90,000 extra (non-UPMC) sets of PII between 2014 and 2017, all of it potentially used in identity theft and bank fraud felonies.
After the guilty plea filed last week, the Court ordered that the attacker remains kept in custody to wait for his sentence.
According to BleepingComputer, he is facing a maximum sentence of five years in jail, owning up to $250,000 in fines for plotting to defraud the U.S., as well as an obligatory two years in jail and a fine of up to $250,000 for each count of aggravated identity theft.