Romanian Hacker Sentenced for Selling Stolen Oregon Emergency Management Credentials, Exposing Employee PII
What Happened – Catalin Dragomir, a 46‑year‑old Romanian national, pleaded guilty to aggravated identity theft and illegal access to a protected computer after repeatedly breaching Oregon’s Office of Emergency Management. He advertised and sold the stolen administrative credentials on a dark‑web marketplace, then distributed employee personal data (name, email, DOB, SSN). The same tactics were used against ten additional U.S. companies, causing at least $250 k in losses.
Why It Matters for TPRM –
- Credential‑as‑a‑service attacks can originate from any geography, bypassing traditional perimeter defenses.
- Exposure of employee PII in a government agency raises compliance and reputational risks for downstream vendors.
- The case highlights the need for continuous monitoring of third‑party access and robust identity‑management controls.
Who Is Affected – State and local government agencies, plus a cross‑sector set of U.S. private companies that relied on the compromised credentials.
Recommended Actions –
- Review all third‑party access agreements for privileged accounts.
- Enforce multi‑factor authentication and least‑privilege principles on all admin credentials.
- Deploy real‑time credential‑theft detection and dark‑web monitoring services.
- Conduct a forensic review of any systems that may have been accessed using the sold credentials.
Technical Notes – Attack vector: sale of stolen administrative credentials via a dark‑web ad (STOLEN_CREDENTIALS). Data exfiltrated: employee name, email, date of birth, Social Security number. No public CVE was involved; the breach leveraged weak credential hygiene and lack of MFA. Source: The Record