Disgruntled admin gets 63 months for massive data deletion
Brought down by computer named 'kuku'
An IT manager who sought revenge for an unfavorable job evaluation was sentenced to more than five years in federal prison after being convicted of intentionally triggering a massive data collapse on his former employer's computer network.
Jon Paul Oson, 38, of Chula Vista, California, was sentenced to 63 months behind bars and ordered to pay more than $409,000 in restitution, according to federal prosecutors in San Diego. He was immediately taken into custody after the sentence was handed down on Monday. It is one of the stiffest penalties ever for a computer hacking offense.
Oson was hired in May 2004 as a network engineer at the Council of Community Clinics in San Diego, a nonprofit that provides various services to 17 regional health clinics in Southern California. He performed well in that role and five months later was promoted to technical services manager. He ended up bitterly resigning a year later after a performance evaluation cited interpersonal difficulties, according to court documents.
On December 23, Oson logged onto servers belonging to his former employer and disabled the program that automatically backed up medical records for thousands of low-income patients. Six days later, he logged on again, and in the span of 43 minutes, methodically deleted the files containing patients' appointment data, medical charts and other information.
The dollar cost of Oson's rampage was pegged at $409,337.83 and accounted for expenses for technical investigations and moving to a paper-based system in the weeks following the attack. But the real toll came when doctors at North County Health Services no longer had medical records for thousands of low-income patients who sought medical care. North County Health Services contracted with Oson's employer to store the records.
By destroying the records, Oson threatened the health of patients who visited the clinic immediately after the attack, prosecutors argued. They cited two examples, including a nine-year-old who had been diagnosed with an ear infection several days before Oson's rampage. When he returned a few weeks later, doctors had no record of the previous diagnosis, and they also had no idea he was due for a routine physical exam.
"Patients who visited the clinic in the weeks following the network disruption were kept waiting hours and sometimes futilely while their charts were located and delivered to the appropriate clinic and doctor," prosecutors said in court documents. "With the shutdown of its Practice Management system, NCHS had to shift to a paper-based system."
After ransacking his former employer's network, Oson took pains to cover his tracks. When FBI agents raided his home in May 2006, they found all but one of his PCs had been wiped clean, irretrievably destroying data that might have shown he was behind the attacks.
But Oson slipped up and left other clues. One was an HP 2100 LaserJet printer he kept at his home and another was an HP LaserJet 4M printer physically located near the workstation Oson used at his new job.
It just so happened that in the weeks leading up to the data meltdown, an intruder had cased the network by logging in from at least three different machines. One was a computer named "TEMP3" that was equipped to work with an HP 2100 LaserJet printer. A second PC happened to contain drivers for the HP 2100 and a LaserJet 4M.
Even more incriminating, the nickname of this second PC was "kuku" and one of the printers it was configured to work with was named "mike2003 HP Laserjet 4M". That just happened to match the name of Oson's son and the network name of the printer sitting by his workstation.
"At the sentencing hearing, the court talked about the impact of Oson's actions and his arrogance," Assistant US Attorney Mitchell Dembin, who prosecuted the case, wrote in an email to The Reg. "The court said that Oson seemed to think that he was the smartest guy around but, as often happens, he ran into someone smarter (the FBI)." ®
Sponsored: Network DDoS protection