A Romanian computer hacker was sentenced to serve three years in prison for an international identity theft scheme. On September 22, the multi-year case against the hacker who breached security companies and medical offices has been finalized.
Mircea-Ilie Ispasoiu, the prosecuted hacker, had been operating since August 2011, according to indictment papers. In 2014, the US indicted Ispasoiu with two counts of wire fraud and two counts of unauthorized computer access. He was also charged with two counts of unauthorized computer access that caused damage. Lastly, his usage of the compromised data resulted in three counts of aggravated identity theft.
Ispasoiu was employed as a computer systems administrator at a large financial institution in Romania, court documents revealed. While working as a sysadmin, Ispasoiu began hacking organizations, companies, and private individuals. Between August 2011 and February 2014, the hacker breached database of retailers and medical offices.
After compromising the network of a company he targeted, Ispasoiu would deploy remote access trojans (RAT) to vulnerable computers. When the RAT successfully infected a sufficient number of machines it would then automatically grab system login credentials. The credentials were subsequently used to access sensitive information on a server or machine. The data most often collected was of the name, address, and credit card variety. From one business alone, Ispasoiu stole more than 10,000 credit and debit card numbers.
The court documents explain the process involved in one of the hacks:
In or around September 2012, defendant ISPASOIU gained access to a computer affiliated with Victim #4 [the medical office] and caused malware to be placed on Victim #4’s network. Using this malware, defendant ISPASOIU stole information from Victim#4, including Log-In Credentials and Payment Card Data, that was then sent to an email address controlled by defendant ISPASOIU.
Of these breaches, the indictment names several significantly impacted victims. The Grand Jury is aware of a restaurant in Montclair, New Jersey; a car dealership in North Brunswick, New Jersey; a medical office in Phoenix, Arizona; and a large security firm operating across the US.
One breached company stands out, however; fingerprints and social security numbers were stolen from a security firm.
The US released no names of exploited companies, however CICS Employment Services is understood to be the compromised security firm. Following the time frame of Ispasoiu’s hacks, the FBI notified CICS of a data breach.
CICS runs pre-employment background checks for various agencies throughout the US, storing SSNs and fingerprints of applicants. After the FBI notified CICS of the breach, CICS sent an email to everyone with data on company servers. This resulted in a nationwide identity theft scare, even to those who had not applied for a job in years.
Shortly after his 2015 extradition, Ispasoiu he was arraigned before U.S. Magistrate Judge Michael Hammer in Newark federal court. The Romanian man remained in custody for a year before a second court appearance in mid-2016.
Ispasoiu pleaded guilty to Count One and Seven of the indictment in front of U.S. District Judge Kevin McNulty. Nearly six months passed before Judge McNulty made his sentencing decision.
On September 22, 2016, Ispasoiu was sentenced to 36 months in prison. Of the two charges Ispasoiu was convicted of, wire fraud was the more severe. Wire fraud has a $1,000,000 maximum fine and the defendant was ordered to pay nearly that: $907,204.88. After release from prison, Ispasoiu is required to be under federal supervision for another 36 months.