A Pennsylvania man who hacked the personnel records of the University of Pittsburgh Medical Center (UPMC) and dangled personally identifiable information (PII) for sale on the dark web was sentenced Oct. 18 to seven years in prison for conspiracy to defraud the United States and aggravated identity theft.[1] Chief U.S. District Judge Mark Hornak imposed the maximum allowed sentence on 30-year-old Justin Sean Johnson for the incident, which affected the PII of more than 65,000 UPMC employees.
According to the attorney’s office, “in imposing the sentence, Judge Hornak noted the severity of Mr. Johnson’s crimes, likening his behavior to a ‘bulldozer’ through people’s personal lives when he ‘indiscriminately’ hacked their PII.”
Johnson had been planning the hack for at least several months, as the original indictment noted he opened a bitcoin account on Oct. 31, 2013. And UPMC may not have been his first (or only) target. As the indictment states, Johnson discussed with others gaining access to a human resources (HR) database “of a prominent national retailer.” Further, the indictment alleges that as recently as 2017, Johnson had hacked into colleges and also had stolen data from “a large healthcare provider in Georgia and Florida.”
To hack UPMC, Johnson studied Oracle’s PeopleSoft, a suite of HR and business applications, according to the U.S. attorney’s office. “Investigators years later uncovered Johnson’s ‘PeopleSoft expertise,’ having studiously searched for PeopleSoft over 1,100 times on his computer,” the U.S. attorney’s office wrote in its sentencing memo. A forensic review of Johnson’s laptop revealed PII from Pruitt Health Care in Georgia and Lexington Medical Center in South Carolina, the sentencing memo said, noting that “the common denominator was a PeopleSoft HR network.”