Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

‘Dearthy Star’ Pleads Guilty to Selling Info of 65K Health Care Employees

‘Dearthy Star’ Pleads Guilty to Selling Info of 65K Health Care Employees

Justin Sean Johnson, a 30-year-old from Detroit, Michigan, has pleaded guilty to stealing the personally identifiable information (PII) of 65,000 employees of health care provider and insurer University of Pittsburgh Medical Center (UPMC) and selling it on the dark web.

UPMC is Pennsylvania’s largest health care provider that employs more than 90,000 employees in 40 hospitals and 700 doctors’ offices and outpatient sites.

Johnson (also known on the dark web as ‘TheDearthStar’ and ‘Dearthy Star’) was charged with conspiracy, wire fraud, and aggravated identity theft in a forty-three count indictment filed last year, in May 2020.

“Justin Johnson stands accused of stealing the names, Social Security numbers, addresses and salary information of every employee of Pennsylvania’s largest health care system,” U.S. Attorney Brady said in a press release issued in June 2020, after his arrest.

“After his hack, Johnson then sold UPMC employees’ PII to buyers around the world on dark web marketplaces, who in turn engaged in a massive campaign of further scams and theft.”

Also Read: PDPA Compliance Singapore: 10 Areas to Work on

Data of tens of thousands stolen within one month

Johnson initially infiltrated UPMC’s HR database network in early December 2013 by hacking the company’s Oracle PeopleSoft human resource management system.

On the same day, he accessed the PII of approximately 23,500 UPMC employees after running a test query on the breached HR database.

Between January 21 and February 14, 2014, he continued accessing the database multiple times per day remotely to exfiltrate the PII of tens of thousands of UPMC employees.

Johnson sold the data he stole on dark web marketplaces like Evolution and AlphaBay Market to buyers who used it to fraudulently file Form 1040, 1040, and 1040EZ federal income tax returns.

According to the indictment, the fraudulent tax refunds, which amounted to $1.7 million in unauthorized federal tax returns, were later converted into Amazon gift cards used to buy Amazon merchandise that got sent to Venezuela via Miami reshipping services.

Johnson deposited the cryptocurrency he bought using the monies obtained by selling the stolen UPMC employees’ data into a Coinbase account.

Besides selling the PII of roughly 65,000 employees from UPMC’s breached HR databases, Johnson also stole and sold almost 90,000 additional (non-UPMC) sets of PII between 2014 and 2017, all of it potentially used by the buyers to commit identity theft and bank fraud.

AlphaBay Market ad
AlphaBay Market ad

Also Read: What Does a Data Protection Officer Do? 5 Main Things

Detained pending sentencing

Johnson is facing a maximum sentence of five years in prison and a fine of up to $250,000 for conspiracy to defraud the United States, as well as a mandatory two years in prison and a fine of up to $250,000 for each count of aggravated identity theft.

According to a DOJ press release, the investigation leading to Johnson’s prosecution was conducted by agents from the Internal Revenue Service-Criminal Investigation, the United States Secret Service, the United States Postal Inspection Service, and Homeland Security Investigations.

Johnson remains detained pending sentencing, as the Court ordered after his guilty plea was filed last week.

“Hackers like Johnson should know that our office will pursue you relentlessly until you are in custody and held accountable for your crimes,” U.S. Attorney Brady said last year.

“The healthcare sector has become an attractive target of cyber criminals looking to update personal information for use in fraud; the Secret Service is committed to detecting and arresting those that engage in crimes against our Nation’s critical systems for their own profit,” U.S. Secret Service Special Agent in Charge Timothy Burke added.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us