Wed | Dec 29, 2021 | 6:45 AM PST

Breach fatigue is a real concern for cybersecurity leaders who are trying to communicate that security is everyone's responsibility.

After so many data breaches in the news, many end-users begin to wonder if it really matters when their personal information or user credentials are taken. After all, how bad could it really be?

Well, a recent hacking case in Pennsylvania highlights how serious the consequences can be and what hackers can gain. 

Hack leads to stolen identities and fraud

Hospitals and medical centers have been a hotspot for hackers during the pandemic, but what information are they going after?

Some have tried to steal information on anything related to COVID-19, but others are simply after the personal information of patients and staff; this data has value.

Acting United States Attorney Stephen R. Kaufman announced that Justin Sean Johnson, a Detroit resident, pleaded guilty to hacking into the University of Pittsburgh Medical Center and stealing Personally Identifiable Information (PII) of more than 65,000 UPMC employees.

Here is what the DOJ says about Johnson's crimes:

"In connection with the guilty plea, the court was advised that Johnson, known on the dark web as TheDearthStar and Dearthy Star, infiltrated and hacked into the UPMC human resource server databases in 2013 and 2014 and stole sensitive PII and W-2 information belonging to tens of thousands of UPMC employees.

The information was sold by Johnson on dark web forums for use by conspirators, who promptly filed hundreds of false 1040 tax returns in 2014 using UPMC employee PII. These false 1040 filings claimed hundreds of thousands of dollars of false tax refunds, which they converted into gift cards, which were then used to purchase Amazon merchandise which was shipped to Venezuela.

Additionally, Johnson, from 2014 through 2017, stole and sold nearly 90,000 additional (non-UPMC) sets of PII to buyers on dark web forums, which could be used to commit identity theft and bank fraud.

The scheme resulted in approximately $1.7 million in false tax return refunds."

For these crimes, Johnson faces a maximum sentence of five years in prison and a fine of no more than $250,000. He will serve a minimum 24-month sentence.

If you think that your end-users are beginning to experience breach fatigue, remind them that every breach can have real-world consequences. 

Security does matter, for everyone.