Cyber-Ark Says Network Engineer's 63-Month Hacking Sentence Fair

"Your Average Hacker Isn't Going to Take The Time to Do This"

(26.06.08) - Cyber-Ark, the digital data security specialist, says that a 63-month prison sentence handed down to a former network engineer for hacking a Californian health clinic's computer system is fair.

"The sentence is one of the longest given for hacking in the United States, but since Jon Paul Oson, an IT professional, had deliberately deleted patient and allied data from his former employer's computer systems, I think it reflects the seriousness of his offences," said Adam Bosnian, Cyber-Ark's VP Marketing.

Bosnian's comments came after the 38-year-old former network engineer with the Californian health services clinic was ordered to pay more than $144,000 to the Council of Community Health Clinics (CCC) and more than $264,000 to the clinic whose computer system he hacked.

"What makes the hacking and file deletion worse is the fact that the CCC is a not-for-profit organisation that provides a variety of services to its membership, and operates 17 community health clinics in San Diego and Imperial counties of California," he said.

"A jury convicted Oson of accessing the CCC network without authority back in December, 2005, and disabling the automatic process that created backups of patient information," he added.

Bosnian went on to say that because Oson had betrayed his former employer's trust, and potentially put patient's lives at risk through his actions, his prison sentence should stand as a warning to anyone else contemplating such stupid actions.

"Hacking in itself is wrong, but betraying a former employer's trust and potentially placing patient's lives at risk is about as bad as you can get," he noted.

According to Bosnian, since the clinic's systems were fully backed up and encrypted, then a normal hacker couldn't gain access unless they were somehow exposed to the encryption keys and able to log into the back ups to erase them.

"Your average hacker isn't going to take the time to do this - it's difficult and a lot of work, they tend to go for easy target. An unhappy ex-employee with access to admin passwords that haven't been changed and a knowledge of the system, on the other hand, is going to have no trouble at all," he said.

"The fact that he managed to cover his tracks suggest a high level of access rights - normal users can't erase their traces, admins can - especially when you realise that these were very high level documents he was accessing and would of been subject to Health Insurance Portability and Accountability Act regulations," he added.

"This, in turn, would have meant that all user interactions would have been logged and monitored. And you can't log or monitor admins without a security technology like Cyber-Ark's," he concluded.

For more on the Oson hacking case: http://tinyurl.com/5ts6v .

(Cyber-Ark: ra)