Yung-Hsun Lin, 51, of Montville, was sentenced to 30 months in federal prison by U.S. District Judge Jose Linares, who also ordered the former systems administrator to pay $81,200 in restitution to Medco Health Systems.
The sentence is believed to be the longest for an attempt to damage a computer system. Lin, also known as Andy Lin, must surrender to the federal Bureau of Prisons by Feb. 25 and is free on bail until then.
Lin, who pleaded guilty on Sept. 19, 2007 to one count of transmitting computer code with the intent of causing damage in excess of $5,000, admitted modifying system code to “detonate” on April 23, 2004 – his birthday – and wipe out information in Medco's drug utilization review database, which is updated daily with patient-specific drug information.
The logic bomb, code designed to perform a malicious activity when specific conditions are met, did not work, but was discovered by another system administrator the following January.
U.S. Attorney Christopher Christie praised Franklin Lakes, N.J.-based Medco for bringing the case to the government's attention.
“That is the kind of cooperation we need and appreciated from private industry,” he said. “The results of this prosecution send a message to systems administrators and employees; and industries should feel comfortable and confident in coming to us when such cases arise.”
Lin admitted in court that he created the virus in October 2003, when he feared that layoffs resulting from Medco's spinoff from Merck & Co. would affect him. While the merger did result in layoffs, Lin was not affected.
The former IT professional had faced a maximum sentence of 10 years in prison and a $250,000 fine.
Medco spokeswoman Jen Luddy told SCMagazineUS.com today that no sensitive data was affected by Lin's tampering.
“As a company vigilant in protecting our systems and data, we believe the sentence sends a strong message – there is zero tolerance for this type of conduct,” she said. “Medco has systems and controls in place to monitor its data-related assets and ensure their security. Medco detected and neutralized the activity ensuring the integrity of our systems.”
Tom Bennett, vice president of marketing for Raytheon Oakley Systems, told SCMagazineUS.com today that Lin would be considered a “high-risk” employee because he was employed as a systems administrator.
“In most security cases, it's an art between balancing access and letting business continue,” he said. “There's a concept of ‘who's watching the watcher,' where in this case you have a gentleman who has privileged access, but there should be someone [monitoring him].”
Systems administrator gets 30 months in prison for 'logic bomb'
By Frank Washkuch on Jan 10, 2008 2:26PM