Almost two years after he was arrested for stealing and selling his employer's confidential data, the Department of Justice announced late last week that the suspect, a Nebraskan man, has been sentenced to nearly two years in prison.
Timothy Young was arrested back in May, 2019 after using an alias to place an ad online advertising the sale of non-public information including names, logon names, passwords, email addresses, and telephone numbers. Despite placing the advertisement, Young didn't own any of that information; he stole it from his employer, a data analytics and risk assessment firm based in New Jersey. While the firm isn't named in court documents, Young had an author page – since delisted – on the website of Verisk Analytics. His LinkedIn page, also since deleted, also listed Verisk Analytics as his employer.
According to its website, Verisk, based in Jersey City, services insurance, financial services, and government sectors. Not surprisingly, as a data analytics firm, it also has vast reserves of data, much of it sensitive, personally identifiable information.
“The company maintains a network that houses, among other things, significant amounts of personally identifiable information," the DOJ, via U.S. Attorney Carpenito, said in a press release last Thursday.
While Young had plead guilty last summer to wirefraud via videoconference, he wasn't sentenced until last week when he received 21 months.
The FBI first began looking into Young and his operation in March of 2019, when he posted on an online forum that he was seeking $2.5 million in cryptocurrency for a trove of stolen data connected to a large corporation; he said later that day he worked for the company.
“I am looking for a person or group who would be interested in buying network login information for a large corporation. it is a Fortune 500 company with annual profits of $2.5B,” the post read. The note goes on to claim he has access to the "complete details of millions of individual buildings, medical claims, every municipal water system in the US, every emergency communications center in the US, and every fire department."
According to a criminal complaint filed by Schiller Salomon, a special agent with the FBI, after a series of back and forth communications engaging with Young, the FBI paid him .5 Bitcoin – about $28,088 now but $2,040 In May, 2019 - for a database including of the data. After reviewing the information - names, addresses, email accounts and other identifying information - authorities were able to verify with Verisk that it was legitimate.
The FBI was also able to cross-reference times that Young was logged in, when he used his password, and that he accessed the data from an IP address from his home in Moorefield, Nebraska. On top of that, the FBI and Verisk were able to corroborate that Young had a two-factor authorization code sent to him around the same time he recorded a video he used to advertise of him accessing the company's systems.
While court documents don’t outline what medium Young used to access the data – whether it was via a proprietary platform, FTP, or some form of cloud storage database – it’s clear he did so; it was even documented on film.
What’s less clear is how he stole the data. Young sent some of the stolen data in screenshot to a confidential informant in March but in May, when authorities bought it, it's not clear if the database Young sent was downloaded off the company's systems outright, copied and pasted data, or if it too, was a screenshot. Regardless, it doesn’t sound like there was a solution set up to prevent the data from being removed from its systems.
Departing or disgruntled employees can use stolen data including intellectual property or PII to give them a leg up over their employer or make a quick payday.
Last fall, a former systems administrator at Century 21 used a "superuser" account he created to steal employee data and access the company's systems, even though he'd resigned. In New Jersey last year, a man was charged with stealing intellectual property after taking trade secrets from his employer, a luxury yacht company, via a USB storage device.
As part of the sentencing, District Judge Katharine Hayden Judge Hayden sentenced Young to three years of supervised release and ordered him to pay restitution of $296,370.
