Hacker indicted for stealing 65K employees’ PII in medical center hack

A Michigan man has been indicted for the 2014 hack of the University of Pittsburgh Medical Center’s (UPMC’s) HR databases and theft of employees’ personal information – information that he allegedly wound up selling on the dark web to crooks who used it to file thousands of bogus tax returns.

The 43-count indictment, returned on 20 May and unsealed on Thursday, named 29-year-old Justin Sean Johnson, also known as TDS or DS, with conspiracy, wire fraud and aggravated identity theft.

The theft involved personally identifying information (PII) belonging to 65,000 employees from the medical center’s PeopleSoft human resources management system.

The purloined data included the names, Social Security taxpayer ID numbers, birth dates, addresses, marriage statuses, salary information, and yet more PII contained in employee W-2 forms.

After the hack, Johnson allegedly sold UPMC employees’ PII to buyers around the world on dark web marketplaces, leaving every one of those people subject to identity theft and potentially years of financial fraud, as US Attorney Scott W. Brady pointed out in a press release.

Hackers like Johnson should know that our office will pursue you relentlessly until you are in custody and held accountable for your crimes.

Tom Fattorusso, Special Agent in Charge of IRS-Criminal Investigation, was also quoted in the release, talking about the prolonged misery that victims of ID theft suffer:

Unfortunately, through no fault of their own, the people whose identities are stolen in cases like this are often victimized repeatedly. Initially, they have to deal with the stress of knowing their personal information was stolen. Criminals then use the stolen information to file false tax returns, or they sell it to other criminals who use it to file false returns. This causes a hardship for the innocent victims when they try to file their own tax returns. Victims are then left to deal with credit issues caused by the unscrupulous actions of the criminals.

One of the victims was a nurse who wrote to the court, saying that the US had refunded her IRS refund money, but that she was still devastated by the invasion of her privacy. The Pittsburgh Post-Gazette quoted from her statement:

I think the perpetrators of this particular crime think every American is rich. Most of us, like me, are not … To think that someone could drain any of my assets as a result of possessing information about me including my Social Security number is too painful to think about.

Prosecutors say that Johnson allegedly sold the PII of doctors, nurses and other medical center employees – including W-2 tax forms – on dark web markets between 2014 and 2017. The crooks who purchased the data went on to submit false tax returns to the Internal Revenue Service (IRS) and made off with about $1.7 million in unauthorized federal tax refunds.

The people who filed those liar-bag returns asked for their return money to be issued onto Amazon.com gift cards, which they then used to buy electronic goodies.

About $885K of those goodies – including Samsung and Apple mobile phones, HP laptops, tablets, and gaming devices – were routed to Venezuela through reshipping services in Miami. From there, the items were resold on online marketplaces in South America.

Who was behind the Venezuela link? One conspirator was a Cuban national by the name of Yoandy Perez Llanes who was living in Venezuela in 2015. That year, Llanes was indicted for defrauding the IRS using data obtained in the UPMC mugging. He was arrested and extradited to the US the following year. In 2017, he pleaded guilty and was sentenced to time served plus six months, then deported.

The indictment identified other alleged conspirators – some known, some not – as M.S.N., M.A., and M.N.

‘Playing with PeopleSoft’

The indictment says that in 2013, Johnson engaged in a Facebook chat in which he said he wanted to “Play with PeopleSoft.” He said this of the HR system:

PeopleSoft … is basically HR in a box.

Johnson also allegedly said that he was “conspiring,” and that he would be willing to tell the other person about it “on torchat.”

He taught himself how to use PeopleSoft, according to the indictment. Then, he allegedly left a trail of his training, having performed over 1,000 Google searches for the word “PeopleSoft” as he allegedly sniffed around for a vulnerability in the software.

Other things Johnson allegedly discussed:

  • Being “rich by end of year … if you had what i have.”
  • That he was looking for a “tor messaging service,” and that “the onion world is a very wonderful place.”
  • How to obtain bitcoin for a “seller qualification fee” in order to “acquire, sell, (and to) profit” from stolen PII.
  • Getting access to other PeopleSoft-managed databases in order to gain illegal access to company HR databases: for example, the database of a prominent, unnamed national retailer.
  • His familiarity with the IRS, including filing returns electronically, the duties of “Case Advocates,” and how to obtain a preparer tax identification number (PTIN).

Johnson allegedly sold the UPMC employee PII on the dark web marketplace Evolution. The ad listing uses the slang term “fullz”, which refers to a complete set of records that can be used to commit fraud:

US ldentity Fullz + 2013 W-2 [Pack of l0J
$3 each Name Address City State Zip SSN DOB Federal State/City W-2
Information (includes employer EIN and address)
Provided but unverified data: Marital Status
!!!The majority of this listing will originate from Pennsylvania!!!

“Good seller”, his buyers said. “Would do business with him again.”

In 2015, Johnson allegedly popped up on the AlphaBay dark-web marketplace. Hello, I’m back, he allegedly said:

It’s another year and once again I’m sitting on tens of thousands of fresh names, SSN, DOB, bank routing/account numbers and payroll data…
600 employees is not huge in my book when I can spend time swiping the payroll of a company with 10,000+ employees or raiding the HR system of an institution with tens to hundreds of thousands of names.
Never said it was legitimate access. Just access. But for avoidance of doubt: Not my companies. Not employed by these companies ….

In 2016 and 2017, Johnson allegedly went onto the dark-web marketplace ABM to sell yet more. The claims should give pause to college and university IT departments, as well as to any organization that uses what Johnson allegedly refers to as “sh**ty/default passwords”:

I’ve got 45,000 fresh names/address/DOB/SSN and the source for the info that I’d like to get rid of in bulk;
Still have most of these. Selling the lot for $7,500 or best non-ridiculous offer.
12,500 rows of direct deposit information (yes, that includes account and routing numbers) retrieved yesterday from an active payroll system (no invalid shit). No logins. No credit cards. No companies. Just people…
I’ve found not one but THREE colleges in the past few years that have had their entire
academic student information system accessible because of shitty/default passwords…
I have many profiles of college students and prospective college students (and sometimes their parents) with an IRS verified 2015 AGI from their financial aid paperwork … Interested? Let me know.

Default passwords are dangerous passwords

It’s not only HR databases that can be looted due to something as simple as an unchanged, or weak, password. For one, default passwords in webcams have put millions of people at risk, not just of losing their privacy but also of having their devices added to massive botnets of connected devices, such as Mirai.

In March 2019, we saw a security nightmare when Comcast had a default “0000” PIN on everybody’s account, making it super simple easy for crooks to hijack people’s phone numbers.

If you get any piece of equipment with a default password, please do make sure to change it to a unique, strong password. Password managers make creating, storing and using a slew of strong passwords much easier.

For those of us who aren’t necessarily responsible for college or health center HR systems and the wealth of information they contain, it’s still smart to use two-factor authentication (2FA) whenever it’s available. That way, even if someone has your password, they still can’t log in as you.

If convicted, Johnson is looking at a maximum sentence of five years in prison and a maximum fine of $250,000 for the alleged conspiracy to defraud the US; 20 years in prison and a fine of a maximum $250,000 for each count of wire fraud; and a mandatory 24 months in prison and a fine of not more than $250,000 for each count of aggravated identity theft. Maximum sentences are rarely handed out, though.