The alleged hacker who breached the human resource databases of University of Pittsburgh Medical Center in 2014 was arrested this week in Detroit, the Department of Justice announced.
The man, Justin Sean Johnson, aka “TDS” and “DS,” 29, was indicted on charges of conspiracy, wire fraud and aggravated identity and is believed to have sold exfiltrated personally identifiable information (PII) and W-2 information on the dark web.
Johnson is accused of infiltrating the human resource server databases at UPMC in January 2014, as well as of stealing information he later sold on dark web forums. The sold UPMC employee PII was then used to file hundreds of false form 1040 tax returns in 2014.
According to the indictment, these false 1040 filings claimed hundreds of thousands of dollars of tax refunds. The cybercriminals who filed these forms converted the funds into Amazon gift cards, and used those to purchase merchandise that was shipped to Venezuela.
The indictment also alleges that, between 2014 and 2017, Johnson regularly sold other PII on underground forums.
“The scheme resulted in approximately $1.7 million in false tax return refunds,” the DoJ says.
For conspiracy to defraud the United States, he faces a maximum sentence of five years in prison and a $250,000 fine. Johnson also faces 20 years in prison and a fine of $250,000 for each count of wire fraud, and a mandatory 24 months in prison and a fine of $250,000 for each count of aggravated identity theft.
“Justin Johnson stands accused of stealing the names, Social Security numbers, addresses and salary information of every employee of Pennsylvania’s largest health care system,” said US Attorney Scott W. Brady. “After his hack, Johnson then sold UPMC employees’ PII to buyers around the world on dark web marketplaces, who in turn engaged in massive campaign of further scams and theft. His theft left over 65,000 victims vulnerable to years of potential financial fraud.”
Related: Two Indicted in $10 Million Tech Support Fraud Scheme
Related: Indictment: Hackers Charged With Making Threats to Schools
Related: Singaporean Indicted in U.S. for Illegal Crypto-Mining
