Ex-Hawaii IT exec gets probation for hijacking computer network

A former information technology administrator with Finance Insurance Ltd. was sentenced to three years of federal probation Monday after he admitted to illegally accessing the company’s network and locking out the employees from core functions.

Federal prosecutors asked a judge to sentence Casey K. Umetsu Sr., 40, to a prison term between 30 and 37 months in accordance with U.S. sentencing guidelines after his weeklong siege of the company’s computer network resulted in a loss between $95,000 and $150,000.

Umetsu’s attorney, Assistant Federal Public Defender Jacquelyn T. Esser, asked for two years’ probation.

Umetsu entered a plea of guilty to a single charge of intentional damage to a protected computer as part of a plea agreement with the government. He faced up to 10 years in prison and a $250,000 fine.

U.S. District Judge Jill A. Otake settled on a sentence of three years of federal probation and barred Umetsu from having any contact directly or indirectly through third parties with the president, vice president or the defendant’s former supervisor, identified in court documents as “FK,” of Finance Insurance Ltd.

In a letter to Otake filed Jan. 24, Umetsu wrote that he is “remorseful for the harm that was caused to Finance Insurance, Finance Factors, its employees and customers.”

Don't miss out on what's happening!

Stay in touch with top news, as it happens, conveniently in your email inbox. It's FREE!

By clicking to sign up, you agree to Star-Advertiser's and Google's Terms of Service and Privacy Policy. This form is protected by reCAPTCHA.

“There were a lot of people affected. Confusion, anger, panic, frustration and worry are some of the emotions or feelings that people involved might have experienced. Those are things that we need less of in our lives. I’m remorseful for the extra work caused to everyone involved and all of the un-needed strain/stress that resulted. I am ashamed. There are no words that can express the shame that is felt,” Umetsu wrote. “I accept responsibility for the harm that was done. Computers should always be used for good and not bad, regardless of the circumstance. There is no excuse that could warrant any harm. No one forced me to do anything and I accept responsibility for the harm that resulted.”

Assistant U.S. Attorney Wayne A. Myers, who prosecuted the case for the government, declined comment. A spokesperson for Finance Insurance Ltd. declined comment.

Umetsu resigned from Finance Insurance on Aug. 16, 2019, after an incident that involved a “workers’ compensation claim and a lapse in insurance that resulted in a disruption of medical treatment” and a second incident allegedly involving workplace sexual “harassment and bullying,” according to a sentencing memo from Esser.

Umetsu was senior information system technologist for Finance Insurance and was responsible for an array of tasks, including administering the computer network, domain, website and computer servers; overseeing hardware and software upgrades; working with outside vendors; and assisting employees with general computer and technology problems, according to a plea agreement filed Sept. 28.

A day after he left the company, Umetsu logged on to the Finance Insurance Network Solutions account, which would allow him to modify domain routing settings and update contact and payment information.

Using an internet connection from his home in Honolulu, Umetsu accessed the website of Network Solutions and used Finance Insurance’s unique “User ID” and password to log in to the portal.

After gaining access to the portal, “the defendant then made numerous unauthorized changes” to the Network Solutions account. Umetsu changed the the customer company name from Finance Insurance to “Honolulu Disposal Service.”

He changed the customer email contact to a Gmail account controlled by him; switched the customer phone number to his personal cellphone number; changed the password needed to access Finance Insurance’s account through the Network Solutions portal; and changed the primary contact name to “Supah Dung.”

Umetsu altered the domain name system settings for Finance Insurance’s domain so that “incoming web and email traffic directed” to Finance Insurance’s domain was misdirected from IP addresses affiliated with the company to IP addresses unaffiliated with the company. This made it so “would-be visitors could not access” Finance Insurance’s website and company employees could not send or receive email.

Umetsu also sent out fake emails purportedly from “senior management” companywide and deleted all of the company’s Microsoft Office accounts.

When a company employee tried to use a personal email address to regain control of the Network Solutions platform, Umetsu initiated a dispute, locking everyone out until it could be resolved.

Umetsu went so far as “to suggest to his former employer that he was not responsible for the attacks while simultaneously offering to help them identify the culprit and fix the very damage he was causing,” according to a sentencing memo authored by Myers.

Umetsu’s crime was, “regardless of whatever motivated it,” an extremely “serious one that caused a catastrophe for a sophisticated company that employs many members of the community and provides important services to even more,” wrote Myers.

“Over the course of the criminal escapade, which spanned a full week, the defendant had numerous opportunities to cool off, reconsider his actions, and stop sabotaging his former employer. But he did not,” wrote Myers. “Rather, he continued to invent, and then execute, new ways of causing mayhem, many of which he was only able to carry out successfully because his former employer (and former colleagues, who, incidentally, withstood the worst of the defendant’s actions) had placed so much trust in him.”