Michigan Man Got a 7-Year Sentence for Hacking UPMC HR Databases and Stealing PII
- A hacker was handed an 84-month sentence for breaking into the UPMC HR database and stealing the sensitive information of more than 65,000 employees.
- The man hacked the University of Pittsburgh Medical Center servers in 2013 to 2014, and until 2017 stole and sold exfiltrated data sets.
- The stolen personal data was bought on the dark web by crookes who filed hundreds of fake tax returns, leading to $1.7 million worth of tax fraud.
Justin Sean Johnson, known on the dark web as TheDearthStar and Dearthy Star, a resident of Michigan, was sentenced on Friday for hacking the HR databases of the University of Pittsburgh Medical Center and stealing the sensitive data of tens of thousands of people. Among these, the Personally Identifiable Information (PII) of more than 65,000 UPMC employees was exfiltrated.
Johnson hacked into the UPMC Human Resources server databases back in 2013 and 2014. He then proceeded to extract highly sensitive PII and W-2 information pertaining to tens of thousands of UPMC employees. Moreover, from 2014 through 2017, he stole and sold nearly 90,000 additional (non-UPMC) sets of sensitive information on the dark web. Of course, the PII could be exploited for identity theft and bank fraud.
The hacker sold the exfiltrated data to dark web scammers who promptly used the information to file fraudulent 1040 tax returns in 2014, resulting in tax refunds amounting to $1.7 million, which were then converted into Amazon gift cards used to purchase merchandise and ship it to Venezuela.
As per an official statement issued by Acting US Attorney Kaufman, the man stole "the names, Social Security numbers, addresses and salary information of tens of thousands of UPMC employees." According to Yury Kruty, Acting Special Agent in Charge of IRS-Criminal Investigation, such actions have a long-lasting and often devastating impact on victims’ lives, and that the sentence handed to Johnson was a strong message to any hackers who want to defraud the public.
The case has been handled by Internal Revenue Service-Criminal Investigation, the US Secret Service, the US Postal Inspection Service, and Homeland Security Investigations agents. Chief United States District Judge Mark R Hornak sentenced Johnson to serve 60 months for Conspiracy to Defraud the U.S. and 24 months for Aggravated Identity Theft individually. These are the is the maximum sentence for each of these crimes and come up to a total of 84 months.
In July 2021, another healthcare institution was attacked. The Sandhills mental health center in North Carolina was hacked, with 634 GB of data stolen during the attack and auctioned on the Marketo leaks portal on the dark web.