Logic Bomb Dud Sends Medco Sysadmin to Jail

A federal judge has sentenced a former systems administrator for Medco Health Solutions to 30 months in prison Tuesday for planting a "logic bomb" in Medco's computer systems that was designed to wipe out critical data on more than 70 servers, U.S. Attorney Christopher J. Christie announced.

A programming error prevented the bomb from detonating, but Yung-Hsun ("Andy") Lin, 51, of Montville, N.J., was also ordered by U.S. District Judge Jose L. Linares to pay US$81,200 in restitution to Medco. Lin is free on bail until Feb. 25, when he must surrender to the Federal Bureau of Prisons.

Lin's sentence is the longest federal prison sentence given to date for such a crime, Christie's office said.

"Disgruntled or rogue employees are a real threat to corporate technology infrastructures and can cause extensive damage," Christie said. "The results of this prosecution send a message to systems administrators and employees, and industry should feel comfortable and confident in coming to us when just such cases arise."

Fear of Layoffs

During a Sept. 19 plea hearing before Linares, Lin admitted that while he was employed as a systems administrator at Medco in October 2003 he modified existing computer code and added additional code designed to wipe out computer servers on Medco's network.

Fear of layoffs prompted Lin to plant the bomb, he said, as Medco was being spun off from Merck at the time. He scheduled the code to detonate on April 23, 2004 -- his birthday.

Although the bomb failed to detonate as planned and he never got laid off, Lin kept it in place and set it to deploy on April 23, 2005, instead, he admitted.

Another Medco systems administrator investigating a system error on Jan. 1, 2005, discovered the embedded logic bomb. The company's IT staff then neutralized the destructive code.

Multiple Systems Targeted

Among the Medco databases that could have been affected by the bomb was a critical patient-specific drug interaction conflict database known as the "Drug Utilization Review" (DUR). Prior to dispensing medication, pharmacists routinely examine the DUR for potential conflicts among an individual's prescribed drugs.

Other servers targeted by the logic bomb contain applications relating to clients' clinical analyses, rebate applications, billing and managed care processing. The servers also handle new prescription call-ins from doctors and coverage determination applications, as well as numerous internal Medco applications including corporate financials, pharmacy maintenance tracking, Web and pharmacy statistics reporting, and employee payroll input.

Assistant U.S. Attorney Erez Liebermann of the U.S. Attorney's computer hacking and intellectual property section and Marc Ferzan, chief of the U.S. Attorney's commercial crimes unit prosecuted the case.

'Large Deterrent'

"Just as placing an actual explosive device is a felony, so too is placing software logic bombs to disable or destroy computer systems or data," Raymond Van Dyke, a technology attorney in Washington, told TechNewsWorld.

As the value of data continues to rise, there is a large economic need to thwart employees who try to compromise the systems entrusted to them, Van Dyke noted. The importance of the data's secrecy and confidentiality, meanwhile, adds to the urgency of its protection, he added.

"The ease with which programmers or systems administrators can undermine large, perhaps global, systems is a problem," Van Dyke concluded. "The heavy sentence given here reflects the need for a large deterrent."

To Catch a Cyber-Criminal

At the same time, however, Lin's case also underscores how easily cyber-criminals can be caught, Parry Aftab, a cyber-crime lawyer and cybersecurity expert, told TechNewsWorld.

"People often think that what they do in cyberspace won't show up at their door, but they always touch the ground and cyber 'breadcrumbs' always leave a trail," she said. "Some do it for revenge, others do it for ego, but a trail always leads back to them."

It's actually much easier to find cyber-criminals than it is criminals in the concrete world, Aftab asserted.

"If a criminal breaks into a store and there's no camera and no fingerprints are left behind, we probably won't know who they are," Aftab explained. "But in cyberspace, you're going to have something leading back to you. You can try to erase it, but unless you want to bank on being the smartest hacker ever, the people investigating are probably just as skilled, and they will find you."

Most cyber-crimes that involve networks happen from within, Aftab noted. "The best way for companies to stop cyber-crimes," she concluded, "is by protecting their networks from their own employees, from people who clean the office, and from others who have access."