It isn't uncommon for people to go to prison for breaking into corporate computers and stealing data. It's rare, though, for someone to be sent back to jail for breaking into a prison computer system while already serving time for another crime.
Meet Francis Janosko, a former inmate at the Plymouth County Correctional Facility in Massachusetts who was arrested by the FBI last week in North Carolina for allegedly accessing systems on the prison's computer network without authorization and stealing confidential data, including the Social Security numbers and other personal information of about 1,100 current and former prison workers.
Janosko, 42, was charged with one count of intentional damage to a protected computer and one count of aggravated identity theft. If convicted on both charges, he faces up to 12 years in prison and a fine of up to US$250,000.
An announcement about Janosko's arrest that was released last Thursday by the U.S. attorney's office in Boston (download PDF) didn't say why Janosko was serving time before nor when he was released from the correctional facility. A spokeswoman for U.S. Attorney Michael Sullivan declined to provide those details and also wouldn't disclose how or when law enforcement authorities learned of Janosko's alleged intrusions into the prison's IT systems.
According to indictment papers that were unsealed last week, Janosko was allowed to use a thin-client device for accessing a server containing legal research while he was an inmate at the Plymouth County correctional center.
The system was configured to prevent inmates from accessing other applications on the server as well as the Internet, e-mail and other computers on the prison's network. But the server was connected to the Internet via the same physical network as the other prison systems in order to download Windows security updates as needed.
Janosko found "a previously unknown idiosyncrasy" in the legal research software that essentially allowed him to break through all of the controls that had been put in place, the indictment claims. It adds that over a four-month period starting in October 2006, he exploited the vulnerability and reconfigured the computer network so that he and other inmates had access to multiple applications and computing services.
For instance, Janosko provided himself and other inmates with access to a document containing the names, dates of birth, Social Security numbers, home addresses, telephone numbers and past employment histories of the 1,100 prison workers, according to the indictment. In addition, he allegedly was able to gain access to the Internet and download two short video films, plus digital photographs of two prison personnel and two inmates as well as an aerial photo of the facility itself.
The indictment also says that Janosko managed to obtain a username and password for accessing an "important" prison management application and that he attempted to log into the program -- but without succeeding before he was caught.