Serial data thief pleads guilty to cybercrime charges

A cyberattacker and extortionist of a medical center has pleaded guilty to federal computer fraud and abuse charges in the US.

Robert Purbeck, adopting the aliases “Lifelock” and “Studmaster” during his time as a cybercriminal, according to the Department of Justice (DoJ), stole personal data belonging to more than 132,000 people.

The 44-year-old pleaded guilty to launching attacks on at least 18 different organizations across the US, including medical clinics. In one incident described by the DoJ following his 2021 indictment [PDF], Purbeck was said to have targeted a Florida orthodontist and threatened to sell his child’s personal information unless they paid a ransom.

During this time he was also said to have sent a series of emails and text messages harassing the orthodontist and his patients.

In another case heard in court this week, Purbeck allegedly bought access credentials to a Griffin, Georgia medical clinic’s server in 2017 off the dark web, broke in, and stole the personal data of more than 43,000 people in one go. This included names, addresses, dates of birth, and social security numbers.

Speaking to DataBreaches.net regarding a separate attack on a Michigan eye surgery center, which was allegedly only reported by the center two years after the attack, Purbeck tried to weaponize the media to pressure the facility into disclosing the incident.

Now where have we seen tactics similar to that before?

Following the Georgia medical center data theft, Purbeck once again used an initial access broker (IAB) to break into a server belonging to the police department of the city of Newnan, also in Georgia.

He used that access to steal various files such as police reports and other miscellaneous police documents which were ultimately found to contain the personal information of an additional 14,000 people.

“Purbeck breached computer systems in our district and across the country, stole vast amounts of personal information, and aggravated his crimes by weaponizing sensitive data in an egregious attempt to extort his victims,” said US attorney Ryan K Buchanan.

“Cyberattacks on healthcare facilities and local governments pose a grave risk to the security of personal information. Our office is committed to tirelessly coordinating with our law enforcement partners to help safeguard the sensitive information of citizens by combatting cybercrime threats from within and outside this district.”

Following his March 2021 arrest, Purbeck’s property was searched in August that year and feds confiscated a number of his devices.

Purbeck tried on a number of occasions to regain access to his devices and counter-sue the authorities who searched him, all while representing himself in court. Across various cases, he argued that the devices seized from his property had been taken illegally since they were crucial to a company in which he was a shareholder, tried to suppress evidence by claiming the files were illegally surveilled by the authorities, and generally complained about the conduct of the investigators involved.

Purbeck claimed that agents used excessive force and overly aggressive tactics during his arrest, and that his genitals were felt for at least a minute to humiliate him – an event that allegedly required therapy for PTSD.

The efforts to reverse the seizure of devices and quash the search warrant were denied, however. The case against various agents involved in the claims regarding excessive force has largely been dismissed, except for two who are still involved in ongoing proceedings.

Purbeck is due to be sentenced on June 18, and as part of his guilty plea, he agreed to pay $1 million in restitution to his victims. ®

Source: https://www.theregister.com/2024/03/20/serial_extortionist_of_medical_facilities/


“An interesting youtube video that may be related to the article above”