Cyberattack: two men sentenced for hacking a regional health agency
Two men were sentenced in Paris to nearly 20,000 euros in damages and eight months’ imprisonment, including four firm for one of them, for having carried out a cyberattack in 2016, against a backdrop of revenge, against the Île-de-France regional health agency (ARS).
A piracy of an ARS
“The facts for which MM. Tombari and Lallemand were found guilty are serious in that they affect the security of the data of a State service”indicates the extract from the judgment of the criminal court consulted by AFP where it is specified that “this attack (…) comes from people who have taken advantage of their past or present position within the ARS”.
Between April 11 and May 9, 2016, ARS Île-de-France suffered several intrusions into its computer system which paralyzed the operation of the service for a day and a night, and made it impossible to access data, to e-mail and the Internet.
The investigation, opened after a complaint against X from a representative of the ARS, made it possible to trace the login credentials of Bertrand Lallemand, then head of the Information System Unit of the ARS Centre-Val de Loire , where the station that allowed the intrusion into the agency’s systems was installed. The author of the hack was identified as Ali Tombari, manager of the company Ceps informatics engineering, a former service provider for the ARS, responsible for setting up backup solutions within the agency.
Following a decision not to renew the contract between the agency and the service provider, the author of the hack had the idea of “breakdown” within the agency, he confessed during the hearing. The end of this collaboration had led to the liquidation of the computer company. “I had no more customers. I had five employees. 100% of my turnover came from the two ARS. (…) I had built my life around these contracts”, he justified at the bar.
Jail and damages
Ali Tombai was sentenced to eight months’ imprisonment, four of which were closed, while Bertrand Lallemand was given an eight-month suspended sentence. Both have also been banned from exercising a profession related to IT for five years. The two men were ordered to pay jointly and severally nearly 20,000 euros in damages for non-pecuniary damage, reimbursement of intervention costs and salary increases for the agents mobilized.