ROCHESTER, N.Y. -- U.S. Attorney James P. Kennedy, Jr. announced today that Ameer Elashmawy, 28, of Rochester, NY, was charged by criminal complaint with unauthorized access of a protected computer and identity theft. The charges carry a maximum penalty of five years in prison and a $250,000 fine.
Assistant U.S. Attorney Melissa M. Marangola, who is handling the case, stated that according to the complaint, the defendant was an Information Systems Security Support Coordinator at Trillium Health in Rochester, and was responsible for the company's information system security design and oversight. Elashmawy also assisted employees with their various IT needs as they arose. The defendant had administrative rights and could log onto other employee work accounts, however, he was not allowed to access personal accounts of employees or former employees.
On January 2, 2020, a co-worker noticed unusual activity on the Trillium Health network, and traced the activity to an IP address connected to a device located at Elashmawy’s work area. The co-worker determined that the “user” logged on at that time was another Trillium Health employee named “J.P.” However, J.P.’s password had been change and the account was actually being accessed remotely from Elashmawy’s work station.
The co-worker continued remotely to explore the activity on the suspect IP address. He located file names that were unusual and unrelated to normal work conducted at Trillium Health, but he did not access the content of those files. The co-worker then reported the unusual activity he had found to his supervisor. On January 3, 2020, the Director of Information Systems and Technology at Trillium Health accessed some of the folders from the suspect device and found naked, compromising photos of females that worked at Trillium Health, as well as usernames and passwords for their social media accounts. A photo of someone’s social security card was also discovered. Later that day, Elashmawy was confronted by supervisors. He was allowed back to his office and was escorted out of the building.
On January 6, 2020, Trillium Health contacted law enforcement and an investigation began into the defendant’s cyber intrusion into co-worker's accounts. The investigation included a review of three USB thumb drives, an HP laptop computer, two work Dell PCs a hard drive, and two Apple I-phones, and the suspect device. A preliminarily review of the items identified that at least 14 identified victims, all employees from Trillium Health, had their personal accounts (social media, I-cloud, etc.) compromised by Elashmawy. The data reviewed included personal explicit photos and videos of the victims as well as numerous photos of the victim’s driver’s licenses, credit cards, social security cards, and other personal data. During the course of the investigation and continued analysis of computer devices, it was learned that numerous employees or former employees of Trillium Health had been victimized by the defendant.
Over 20 employees at Trillium Health were interviewed by investigators and each employee described similar circumstances: The victims were issued laptops by Trillium Health. When an update or issue arose with their work computer, IT was contacted. Each of the interviewed victims had been assisted by the defendant. Accordingly, Elashmawy was given access to their computers to correct work related issues. Each employee had accessed their personal social media, google, or email accounts at one time or another from their work laptop, all of which were password protected. None of the victims, (except for J.P.) provided the defendant with their passwords and none of the victims, including J.P. gave Elashmawy permission to access or download data from their personal password protected accounts.
Employee J.P. was also interviewed. In spring 2019, J.P. asked Elashmawy to install Spotify on her cell phone and work laptop. The defendant indicated he needed access to each device. J.P. wrote her passwords for each on a sticky note and told him to destroy the note when he was finished. On December 21, 2019, J.P. received a security alert from Google indicating someone tried to login to her account from another device. She then changed her password. On January 6, 2020, J.P. saw multiple logins on Google and her Facebook account from a PC, which J.P. does not own.
As a result of Elashmawy’s alleged actions, Trillium Health has spent more than $100,000 to safeguard and protect its impacted employees.
The defendant made an initial appearance before U.S. Magistrate Judge Mark W. Pedersen and was released on conditions.
The indictment is the result of an investigation by the Federal Bureau of Investigation, under the direction of Special Agent-in-Charge Stephen Belongia.
The fact that a defendant has been charged with a crime is merely an accusation and the defendant is presumed innocent until and unless proven guilty.
