[BreachExchange] Authorities Arrest Suspect in 2014 UPMC Data Breach

Destry Winant destry at riskbasedsecurity.com
Tue Jun 23 10:35:32 EDT 2020


Authorities have arrested a suspect accused of hacking the University
of Pittsburgh Medical Center's human resources database in 2014 and
stealing personally identifiable information from 65,000 employees.
UPMC owns 40 hospitals plus other facilities.

Justin Sean Johnson, a/k/a "TDS" or "DS", was indicted May 20 on 43
counts, including conspiracy, wire fraud and aggravated identity theft
(see Victim Tally in UPMC Breach Doubles). The fraudulent efforts
resulted in hundreds of false tax returns being filed and almost $2
million in fraudulent refunds being issued, according to documents
filed in the U.S. District Court for the Western District of

The indictment was unsealed Thursday and Johnson was arrested in
Detroit on Tuesday.

Security blogger Brian Krebs reports that Johnson worked as an IT
specialist at the Federal Emergency Management Agency.

"Justin Johnson stands accused of stealing the names, Social Security
numbers, addresses and salary information of every employee of
Pennsylvania's largest healthcare system," U.S. Attorney Scott Brady
says in a statement.

"After his hack, Johnson then sold UPMC employees' PII to buyers
around the world on dark web marketplaces, who in turn engaged in
massive campaign of further scams and theft."

Johnson Faces 43 Counts

Johnson is charged with one count of conspiracy, 37 counts of wire
fraud and five counts of aggravated identity theft. Court documents
allege Johnson began his operation in November 2013 and continued it
through March 2017.

If convicted, Johnson faces a maximum sentence of five years in prison
and a fine up to $250,000 for conspiracy to defraud the U.S.; 20 years
in prison and a fine up to $250,000 for each count of wire fraud, and
a mandatory 24 months in prison and a fine up to $250,000 for each
count of aggravated identity theft.

The indictment alleges Johnson hacked into the UPMC human resources
database in January 2014 and stole PII and W-2 tax information. This
information was then sold on darknet forums and then used by other
conspirators to file hundreds of sham tax returns resulting in about
$1.7 million in false tax return refunds, prosecutors allege.

Co-Conspirators Plead Guilty

Johnson is at least the third person charged in connection with the
UPMC data breach.

In July 2017, Maritza Maxima Soler Nodarse, a Venezuelan national,
pleaded guilty to one count of conspiracy to defraud the U.S. in
connection with filing false U.S. federal tax returns using identities
belonging to hundreds of UMPC employees. She was sentenced to time
served and deported to Venezuela (see: Second Fraudster Pleads Guilty
in UPMC Breach Case).

In April 2017, Yoandy Perez Llanes, a Cuban national, pleaded guilty
to money laundering conspiracy and aggravated identity theft in
connection with the case. He awaits sentencing on Aug. 18. He was
extradited to the U.S. from Venezuela last August.

Prosecutors said Llanes laundered the money using Amazon.com gift
cards that Nodase and others used to purchase merchandise, which was
then shipped to Venezuela and retrieved by Llanes, Nodarse and others.

More information about the BreachExchange mailing list