Michigan Man Admits Selling UPMC Employee Data

A hacker from Michigan has admitted to stealing the sensitive data of more than 65,000 University of Pittsburgh Medical Center (UPMC) employees and selling it online.

Federal Emergency Management Agency (FEMA) IT specialist Justin Sean Johnson, known on the dark web by the handles TheDearthStar, Dearthy Star, TDS, and DS, hacked into UPMC's human resources database in January 2014. Six years later, the 30-year-old resident of Detroit was indicted by a federal grand jury in Pittsburgh and subsequently arrested on charges of conspiracy, wire fraud and aggravated identity theft.

Among the data swiped and sold by Johnson was W-2 information and Personally Identifiable Information (PII) that included Social Security numbers, addresses, names and salary information. Conspirators who bought the data from Johnson via forums filed hundreds of false form 1040 tax returns in 2014 using UPMC employee PII. 

Hundreds of thousands of dollars of false tax refunds claimed in these false 1040 filings were then converted into gift cards for online marketplace Amazon.com. Conspirators used the gift cards to purchase products that were later shipped to Venezuela. 

The lucrative criminal scheme resulted in the loss of approximately $1.7m in false tax return refunds. 

UPMC employees were not the only victims of Johnson's proclivity for data theft. From 2014 through 2017 he also stole and sold nearly 90,000 additional sets of PII to buyers on dark web forums, which could be used to commit identity theft and bank fraud.

On May 20, Johnson pleaded guilty to counts 1 and 39 of a 43-count indictment before Chief United States District Judge Mark R. Hornak. Johnson will remain in detention while a date is set for his sentencing.

"Unfortunately, through no fault of their own, the people whose identities are stolen in cases like this are often victimized repeatedly," said Tom Fattorusso, the special agent in charge of IRS–Criminal Investigation at the time of Johnson's arrest.

"Initially, they have to deal with the stress of knowing their personal information was stolen. Criminals then use the stolen information to file false tax returns, or they sell it to other criminals who use it to file false returns. This causes a hardship for the innocent victims when they try to file their own tax returns. Victims are then left to deal with credit issues caused by the unscrupulous actions of the criminals."

What’s Hot on Infosecurity Magazine?