A system administrator at software firm Avaya has been indicted following his involvement in a fraud scheme that saw pirated licenses worth $88 million sold to co-conspirators over the course of several years.
US courts said on Friday that Brad Pearce conspired with New Jersey-based businessman Jason Hines in what officials described as a “massive international scheme” to profit from the sale of pirated telephone system software licenses.
Pearce, who officials said was a “long-time customer service employee” at the software firm, abused his sysadmin privileges to generate keys for IP Office software licenses.
IP Office is a telephone system used by hundreds of small businesses across the United States and abroad. To access the system, users were required to purchase access keys from an authorized Avaya distributor or reseller.
“Brad Pearce, a long-time customer service employee at Avaya, allegedly used his system administrator privileges to generate those keys without authorization, creating tens of thousands of them that he sold to Hines and other customers,” the Department of Justice said in a statement on Friday.
According to earlier court documents on the case, Pearce was alleged to have abused sysadmin privileges to use former Avaya employee accounts to generate additional license keys.
Thereafter, the licenses were purchased by Hanes’ company, Direct Business Services International (DBSI) - a New Jersey-based business communications systems provider and, up until recently, an authorized Avaya reseller.
The scheme, which lasted several years, resulted in the sale of software licenses with a retail value of over £88 million.
State of ransomware readiness 2022
Explore the business implications and personal impacts of ransomware and find out how organizations are defending against attacks today.
Officials added that Hines’ business was “by far” the largest customer in the pirated license scheme, purchasing over 55% of the total stolen.
Hines pleaded guilty to conspiracy to commit wire fraud, officials said last week.
As part of a plea agreement, the Department of Justice said it had agreed “not to advocate” for a prison sentence of more than five years.
In addition, Hines must forfeit “at least” $2 million as part of the deal and make full restitution to his victims.
For their involvement in the scheme, Brad and Dusti Pearce were charged with conspiracy to commit money laundering, as well as a charge of money laundering.
Pearce’s involvement in the conspiracy marks the second case this year in which a company employee has actively defrauded their employer, or colluded with outside individuals to do so.
In May, a UK-based IT worker was convicted of unauthorized computer access and blackmail after hijacking a ransomware attack on his employer.
Ashley Liles was found to have attempted to blackmail his employer, Oxford Biomedica, into paying a ransom in the wake of a 2018 security breach.
Liles hijacked the ransomware attack and posed as the culprits in order to blackmail company executives into paying a ransom.
