UPDATE: Man charged in TSYS identity theft violated computer policy at Paragon Benefits

benw@ledger-enquirer.comOctober 15, 2013 

Drew D. Johnson, 26, center, is escorted into court by two FBI agents Tuesday after being arrested Friday on identity theft charges. The arrest is linked to global credit-card and payment processor TSYS, who a few weeks ago announced that personal data from 5,247 current and former employees was stolen by an employee of a third-party administrator of its health care plans. The company said a Paragon Benefits worker emailed the names, addresses, birth dates and Social Security numbers to a personal email account.

MIKE HASKEY — mhaskey@ledger-enquirer.com Buy Photo

A week after he was placed at Paragon Benefits Inc. by a temporary staffing agency, Drew Johnson appeared to be spending more time on his computer than his duties required before personal information from more than 5,200 TSYS employees was sent to his personal Gmail account, records in U.S. District Court stated Tuesday.

Johnson, 26, of Columbus was arrested Friday at an undisclosed residence and charged with felony identity theft. In an affidavit from FBI special agent Christian Coulter, Johnson is accused of illegally transferring and possessing the identification of another person in connection with an unlawful activity. TSYS said at least 1,000 former employees and 11 family members had their data compromised.

Johnson made his initial appearance in District Court and was ordered held for a 2 p.m. Thursday hearing before Judge Stephen Hyles. A motion from U.S. Assistant Attorney Melvin E. Hyde Jr. cited a risk to flee and no conditions for release that would reasonable assure the safety of the community.

Court records show that Johnson started work on Sept. 3, 2013, at Paragon Benefits, a company which administers health benefits for credit-card and payment processor TSYS in Columbus and Kelley Manufacturing Co. in Tifton, Ga. A week later, a Paragon employee noted that Johnson appeared to be spending more time typing on his computer than the job required of a new employee. The same employee believed that Johnson may have been sending personal emails from the account at the office, an activity that’s in violation of company policy.

An information technology analyst was directed to examine Johnson’s computer activity at work. The analyst discovered that Johnson sent two emails from his Paragon email to a personal Google Gmail account, which included an attached spreadsheet. In a search for recent computer activity, the analyst found searches that referred to the personal identifying information of employees whose benefits were administered by Paragon.

Files accessed by Johnson included two files, one from TSYS and another from Kelley Manufacturing, a company that manufactures agricultural equipment. Information included the employees names, dates of birth, Social Security numbers and home addresses. At the time, Johnson had access to the files but had no professional reason to visit the information.

To conduct a more in-depth examination of the employee’s computer, Paragon contracted with forensics computer Borderhawk. The company called the incident an internal data leakage, not an external cyber breach. The company also was able to put together a timeline showing how folders were accessed, a spreadsheet was created and emailed with an attachment to Johnson’s Gmail account. A second spreadsheet was created and attached to a second email to Johnson, records show.

Johnson used a Paragon computer and its network to examine thousands of employees’ personal information without authority, records show. On Sept. 17, an attorney for Paragon Benefits told the FBI that an employee who had been terminated had acquired personal information for employees of TSYS and Kelley Manufacturing.

The investigation by federal authorities with help from Columbus Police Department led to his arrest on Friday.

Related stories:

FBI nabs Columbus man on ID theft charge

Update: TSYS says names, addresses, birth dates and Social Security numbers of more than 5,200 current and past employees stolen

Ledger-Enquirer is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQs | Terms of Service