Former Georgetown student Justice Suh pleaded guilty on one count of computer fraud for hacking The Corp’s email system. The federal government charged Suh in D.C. federal court in April 2019, and the U.S. government representative in this case recommended a sentence of 6 months’ probation.
The government’s sentencing memo notes Suh’s awareness of his crime, stating, “Suh knowingly caused the transmission of a program, information, code, or command, and a result of his conduct, intentionally caused damage to The Corp’s computer system without authorization.”
Suh had been a member of The Corp since he was hired in the fall of 2015, serving as the Director of Information Technology beginning in March 2017 until his resignation in December of that year. In a letter to the court, Maddie Oswald, the COO and Vice President of The Corp, said the defendant hacked its computer system three times, in May 2017, September 2017, and March 2018.
To commit his initial May 2017 hack, Suh compromised The Corp’s G Suite system. He first gathered personal employee information from The Corp Access system, a program used for registering work hours. Suh later published this information, including names, emails and passwords of 297 Corp workers on Pastebin, a publicly accessible text storage website. He then forwarded the Pastebin link to The Corp’s listserv but ultimately deleted the information five hours later, according to the sentencing memo.
The FBI alerted the affected employees of the hack.
In March 2018, Suh created a fake Corp email account and granted the domain “super administrator status,” removing this privilege from another account in the Corp system. He added another Corp employee as the secondary email address for the fake account. Suh also changed the Chief Financial Officer’s account login information. Within hours, the CFO and other board members realized that the fake email was the only account with super administrator status, meaning they no longer held authority over The Corp’s data. Despite reaching out to Google, The Corp was unable to regain access without the correct passwords—passwords which Suh had altered. The Corp turned to Suh for help, given his previous role as the Director of IT.
Meanwhile, Suh had deleted 239 employee accounts and “business and organizational documents” from the G Suite. The Corp hired a third-party company to manage the situation, during which they determined that the attack had occurred from within The Corp. Eventually, board members were able to view the activity on the G Suite, leading them to believe Suh was behind the hack. The Corp reported the incident to the Metropolitan Police Department. Suh “denied any involvement” to the police, according to the sentencing memo. However, when the FBI obtained a search warrant, Suh admitted to the crime.
Oswald explained that the effects of the final March 2018 cyber attack impacted The Corp’s business operations and required a third-party consultant to repair the damages to the system. Oswald claims this placed a financial burden on The Corp, as the third-party company’s fees cost nearly $6,000. Additionally, The Corp estimates that the time employees devoted to containing and remedying the hack totaled 375 hours, or just over $4,700 in wages.
According to a statement from The Corp, Suh wrote an apology letter to the organization and included compensation for the money lost as a result of the hack. “In his letter to The Corp, Mr. Suh apologized for his hurtful and destructive actions, acknowledged that the actions were wrong, and offered to provide remediation for the harm caused by his actions. He subsequently provided The Corp with a check in the amount of $10,695.62,” the statement reads.
In his sentencing, the court acknowledged Suh’s Joubert Syndrome— a brain developmental condition—as a potential factor in the case. “Joubert Syndrome has negatively influenced the defendant’s emotional development, as well as his as ability to engage socially. Indeed, Mr. Suh’s criminal conduct is directly in line with his emotional immaturity and inability to appreciate the effect of his actions on others,” the court wrote.
Editor’s Note: This post has been updated to reflect the fact that the U.S. government has recommended a sentence of 6 months’ probation.
You cite a link with a recommended sentence and claim it states he has been sentenced. In fact, I don’t believe it has happened.
Thanks for updating.
The article states, “The federal government charged Suh in D.C. federal court, where he received a sentence of 6 months’ probation in April 2019.”
This is misleading. The sentencing hearing is June 25. The aforementioned probation is merely a recommendation pending the official sentencing later this month.