Last week, the Department of Justice (DOJ) announced that the individual who allegedly breached the human resource database of University of Pittsburgh Medical Center (UPMC) in 2014 was arrested in Michigan.
In a press release, the DOJ accuses Justin Sean Johnson of stealing personal identifiable information of more than 65,000 UPMC employees, and selling the treasure trove of information on dark web forums “for us by conspirators, who promptly filed hundreds of false form 1040 tax returns in 2014 using UPMC employee PII.”
According to the indictment, in December 2013, Johnson infiltrated UPMC’s HR database managed by PeopleSoft, and performed a ‘test query’ for PII belonging to 23,500 employees. Between January and February 2014, the culprit remotely accessed the HR database, viewing and exfiltrating additional PII of UPMC employees.
The 29-year-old, aka ‘TDS’ or ‘DS,’ was highly active on the dark web for about 3 years, his fraudulent schemes ultimately resulting in $1.7 million in unauthorized federal tax returns.
The fake tax returns were converted into Amazon gift cards, and used to purchase goods that were shipped to Venezuela through multiple reshipping services in Miami.
“Approximately $885,578 in electronic merchandise such as Samsung and Apple cell phones, gaming devices and other electronics was ordered using the Amazon.com gift cards,” the May 20 indictment reads.
“Justin Johnson stands accused of stealing the names, Social Security numbers, addresses and salary information of every employee of Pennsylvania’s largest health care system,” U.S. Attorney Brady said.”After his hack, Johnson then sold UPMC employees’ PII to buyers around the world on dark web marketplaces, who in turn engaged in massive campaign of further scams and theft. His theft left over 65,000 victims vulnerable to years of potential financial fraud. Hackers like Johnson should know that our office will pursue you relentlessly until you are in custody and held accountable for your crimes.”
Johnson is charged in a 43-count indictment with conspiracy, wire fraud, and aggravated identity theft. If found guilty, the accused faces a maximum sentence of five years in prison and a fine of $250,000 for conspiracy to defraud the United States, 20 years in prison and a fine of $250,000 for each count of wire fraud, and 24 months in prison along with a fine of $250,000 for each count of aggravated identity theft.