Disgruntled IT Worker Gets Heavy Prison Sentence

It just goes to show, however smart you think you are…don’t bother trying to wreck someones data. In this case, even if the guy was pissed it was highly responsible as it involved medical records and could actually seriously effect someones life.

He was pretty careful but left a few clues behind, more than enough for the FBI to catch him (computer names, printers installed etc.).

An IT manager who sought revenge for an unfavorable job evaluation was sentenced to more than five years in federal prison after being convicted of intentionally triggering a massive data collapse on his former employer’s computer network.

Jon Paul Oson, 38, of Chula Vista, California, was sentenced to 63 months behind bars and ordered to pay more than $409,000 in restitution, according to federal prosecutors in San Diego. He was immediately taken into custody after the sentence was handed down on Monday. It is one of the stiffest penalties ever for a computer hacking offense.

It’s a pretty huge sentence for hacking – 63 months or just over 5 years! As mentioned it’s one of the stiffest sentences ever for a computer related crime.

It did cause some serious losses though with a staggered disruption of data, as he was familiar with the backup system he could disable it then wait until the cycle had finished…then once the data was gone it was gone.

On December 23, Oson logged onto servers belonging to his former employer and disabled the program that automatically backed up medical records for thousands of low-income patients. Six days later, he logged on again, and in the span of 43 minutes, methodically deleted the files containing patients’ appointment data, medical charts and other information.

The dollar cost of Oson’s rampage was pegged at $409,337.83 and accounted for expenses for technical investigations and moving to a paper-based system in the weeks following the attack. But the real toll came when doctors at North County Health Services no longer had medical records for thousands of low-income patients who sought medical care. North County Health Services contracted with Oson’s employer to store the records.

Pretty scary that one guy has this kind of power, it just shows it doesn’t pay to annoy the BOFH! Anyway what he did was wrong and he’s getting what he deserved, I mean he didn’t even get canned he just got a bad evaluation.

Any thoughts on this?

Source: The Register

Posted in: Hacking News, Legal Issues

, ,

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

18 Responses to Disgruntled IT Worker Gets Heavy Prison Sentence

  1. razta June 19, 2008 at 9:34 am #

    Is 5 years a harsh sentence for what he did? Id have to say no, his employer trusted him to do his job and when he left he violated that trust. If it was just deleting a couple of files, or copying a couple of files, something that dident disrupt the day to day running of the hospital then it would be harsh however he maliciously intended to disrupt the hospital as much as he posibly could. He should have expected a harsh sentence, he deserves it for being so childish and stupid.

  2. Rightful June 19, 2008 at 10:12 am #

    I am agreeing with razta in this one, he should have gotten 10 years or more!! the low income patients became the victim in his stupid game. Grow Up.

    If he had left the company why was his account in the server still active? the employer should have removed this once he left.

  3. Ubourgeek June 19, 2008 at 12:23 pm #

    I personally think that the sentence, whilst being stiff for a hacking crime, was too light; it’s bloody medical records we’re talking about here – not a website’s index page for crying out loud!

    I concur with Rightful – the sentence should have been stiffer to send a clear message to ne’er do wells such as this monkey; if hacking activities endanger innocent lives, lock ’em up and throw away the key as far as I’m concerned.

  4. Jack June 19, 2008 at 1:20 pm #

    This goes to show that his boss was a retard. Don’t ever piss off a IT guy. I think he should have gotten a raise – for showing the company the lack for security and policies. Personally I wouldn’t have deleted the records but use GPCODE to encrypt the data and hold it ransom – maybe ask my boss to pony up a good review.

  5. razta June 19, 2008 at 4:08 pm #

    Im sure the boss would then contact the FBI and you would still be getting a stiff sentence for encrypting the files and blackmailing the company rather than just deleting the files.

    The new IT manager may have deleted the previous managers account however he still may have had some kind of back door into the network as he would know it like the back of his hand.

    Im sure the guy whos gone to jail for 5 years will not only lose his fredom, he will also lose his career. Who would want to employ him now?

    I still think he deserved the sentence.

  6. Navin June 19, 2008 at 7:11 pm #

    @ razta, I think there are more than enough security firms in today’s world…… There is definitely a position open for this guy in atleast one of these firms……Very few firms employ a “no ex hackers recruited” policy

    @ Ubourgeek CC:Rightful

    I agree tht the it shud have been harsher but not more than 10 years…. it may be medical records but tht can’t be compared to the punishment veted out to convicted murderers


    Go ahead, help yourself…go ahead with ur plan….use Gpcode… I’m sure tht in less than half a day, a platoon of feds will be knocking on Ur door….. and if U look even minutely “russian”, and have pimples then U’re in a big mess!! ;)

  7. razta June 19, 2008 at 7:28 pm #

    @ Navin – lol at looking Russian, you are correct I dident think about him being recruited by a hacker firm, do you think him actually being a convicted hacker might be better for his career?

  8. Navin June 19, 2008 at 10:20 pm #

    Here’s something the guys at F-secure had said in a tech magazine….

    “It is a known fact that some companies hire ex-virus writers. However, we believe that virus writers are making money off (their) viruses. We never hire an ex-virus writer.”

    There U have it….straight from the horse’s mouth!! Remember man….. serious dark-hatters have no heart….I don’t think they give a fkcu how much data, medical records, or cash is at stake!!

    What say??

  9. Rightful June 20, 2008 at 1:25 am #

    I think you should understand the seriousness of this issue, people’s life are hanging around here, someone might die just because the doctors cannot retrieve older IMPORTANT medical informations regarding him/her. Its not just a simple web defacement.

    @Navin “. serious dark-hatters have no heart

  10. Pantagruel June 20, 2008 at 7:40 am #

    @ All above

    Your all right, his sentence isn’t that big at all, they should have given him life, simply because his wiping of data may have caused lives.
    I have absolutely no respect for any hacker/cracker who has a go at medical record and start expunging them, sick.
    The guy has done a pretty nice job of ruining both his future and career.
    No matter how disgruntled you are about an unfavorable job evaluation, it’s NO excuse to damage non involved people just because you want to get even.

    Concerning the hospital/Medical institute, they also have a large part in him being so successful at deleting data. They should have implemented more checking mechanisms and simply not have given him this amount of power.

    Indeed a BOFH gone bad

  11. Cor-Paul June 20, 2008 at 8:54 am #

    Hmm… 38 year old scriptkiddies?

    I think it’s a bad thing that one guy has the power to do this. On the other hand, I’m quite amazed by the fact that a company that holds medical data is this vulnerable to the actions of one person!

  12. Bogwitch June 20, 2008 at 10:04 am #

    “On December 23, Oson logged onto servers belonging to his former employer….”

    Former employer who didn’t change admin passwords after an admin leaves following a poor review?
    Employer who has such sensitive information on servers connected to the Internet?
    Employer who doesn’t check that backups are running?

    What Orson did was wrong, no question about that but has the employer received any criticism for their shoddy practices? Doesn’t HIPAA have any comments about this?

  13. Happy Hacker June 20, 2008 at 2:39 pm #

    I think Bogwitch has a good point! Although I don’t want to say that Oson Isn’t responsable, I think he should be in jail 1 year for evry record destroyed. (mabey I’m bitter as I have health issues) BUT! And I mean But, the Employer should be brought up on charges of negligence.
    For one thoes passwords should be changed at the lest monthly! Secondly, Who depends on only 2 copys of data?, anything worth saving I keep at lest 4 copies of. I hope this leads to an upgade of their software that would alow them to Verify the backup status of the data, I can’t belive no one noticed the backups had been tamperd with! Another $10,000 worth of server equipment and software could have saved the $400,000 in damages and the invaluable information lost, that could potential lead to deaths!
    In point I think EVRYONE dropped the ball on this one.

  14. Navin June 20, 2008 at 6:29 pm #

    I’m sorry mates… I didn’t actually comprehend the loss in this manner…. I din’t know tht in Ur country….the loss of medical records can lead to loss of lives…..In India, its not like that!! That brings me to a question…if this data was soooooooooo sensitive, why was it so easily available to be destroyed?? Shouldn’t the employer be held responsible as well??

    @rightful….for U hacking means learning…tht’s why U fall into the category of “ethical hacker”…I’m talking about darkhatters, guys who get pleasure from seeing Stock indexes crash or telecom companies disabled, the guys who take PoC viruses and tweak them to destroy files…. and frankly when U’re extremely pissed offwith an employer, U do want to destroy sensitive data….I’m not saying tht they shouldn’t be punished, I’m just saying that it won’t matter!! But as I mentioned at the start, I din’t know that your health system works with ultimate dependencies on cyber data

    BTW @happy hacker: I completely agree with Ur points!!

    I wanted to know what exacltly does “The dollar cost of Oson

  15. a.random.persona June 21, 2008 at 2:23 am #

    I believe the name for these type of people is not hacker, but cracker (not related to reverse engineers). His sentence was stiff but it was rightful. To do something that affects the public is wrong and un-ethical. Hacking to destroy crucial files must be punished and he got what he deserved.

  16. Sleepy June 21, 2008 at 5:34 pm #

    I agree with most of you, the sentence was probably just right or maybe a little light even considering he may have caused physical pain or death, and surely knew so. I also agree that the company he worked for dropped the ball as Bogwitch pointed out.

    But, I’m also curious, if he “deleted” all this stuff, surely it was noticed right away and at least some of it should have been recoverable via forensics, especially with the FBI on hand?

  17. david February 18, 2009 at 1:46 pm #

    Jacktard dude seems to watch too much movies
    we’re talking about medical records of thousands of low-income patients! have some common sense and ethic behavior.
    an IT pro isn’t god, is just that; IT, it’s almost like any other job
    …Sad but seems like everytime a maggot brain have a powerful position something bad comes out

  18. commonmember April 18, 2009 at 7:42 pm #

    i think it goes to show how a person will react to an unfair judgement and a cut or lack of pay, to what they deserve. companies need to pay their employees what is entitled to them. when people get short-changed theres no telling what they will do.

    an innocent plee was right. who the hell would leave these types of things open to be tampered with. whos to say that his employers didnt have access to his accounts and codes. Maybe some other employee higher up on the chain needed to cover up things and used Mr. Oson. knew his skills and pinned it on him. comic book shit right. it could be done. after all fbi was involved. government was involved.

    OH!!! BY THE WAY IM HIS NEPHEW!!!!!!!!!!!!!!!!!!!!!!!