Settlement in Landmark Case Tied to Data Breach on Breachforums
In a notable legal development, a 22-year-old former administrator of the cybercrime forum Breachforums has agreed to pay nearly $700,000 to resolve a civil lawsuit filed by a health insurance company. The lawsuit ensued after sensitive customer data was put up for sale on the platform in 2023. Conor Brian Fitzpatrick, known online as Pompompurin, has also been pending resentencing next month after admitting guilt to charges of access device fraud and the possession of child sexual abuse material (CSAM).
On January 18, 2023, extensive records from Nonstop Health, a California-based health insurer, were made available for purchase on Breachforums. These records contained highly sensitive information, including Social Security numbers, date of birth, addresses, and phone numbers. Following the breach, class-action attorneys initiated legal action against Nonstop Health, which included Fitzpatrick as a third-party defendant in November 2023, post his arrest by the FBI and subsequent charges.
In January 2025, Nonstop Health reached a settlement agreement amounting to $1.5 million in the class action lawsuit. Legal experts note that this case stands out due to the naming of a cybercriminal directly involved in the civil litigation, a first of its kind in such contexts. Jill Fertel, a former federal prosecutor, emphasized the rarity of holding threat actors accountable, indicating that typically plaintiffs do not see compensation derived from seized assets linked to cybercriminal activities. The responsibility now lies with class members to file claims to access any available funds.
Mark Rasch, another former federal prosecutor, acknowledged the significance of Fitzpatrick’s case, highlighting that it’s uncommon to identify the threat actor in civil litigation, let alone have them suffer financial repercussions. Fitzpatrick’s acknowledgment of possessing over 600 CSAM images while managing Breachforums is indicative of the wide-ranging criminal activity connected to the platform. While he initially received a sentence of time served and 20 years of supervised release in January 2024, federal prosecutors sought a harsher punishment due to the severity of his actions.
Following his plea, Fitzpatrick found himself back in legal trouble within the same month for violating his supervised release, as he accessed Discord to discuss his legal situation, even seemingly mocking the terms of his plea deal. His life post-plea has been tumultuous; in January 2025, a federal appeals court vacated his original sentence, necessitating a resentencing scheduled for June 3, 2025.
Fitzpatrick launched Breachforums in March 2022, aiming to continue operations after its predecessor, RaidForums, was dismantled by law enforcement. The forum quickly amassed over 300,000 users, facilitating numerous transactions involving stolen databases from significant breaches. Subsequent attempts to relaunch the site have been curtailed by law enforcement, signifying the ongoing battle against cybercrime.
The case highlights not only the complexity of holding cybercriminals accountable but also raises concerns regarding the methodologies employed by such actors. Initial access techniques, such as phishing or exploiting vulnerabilities, could have been crucial in breaching Nonstop Health’s data security. Techniques consistent with the MITRE ATT&CK framework, including persistence and privilege escalation, could have been employed to maintain access and extract sensitive data.
In the evolving landscape of cyber threats, this case serves as a pivotal reminder of the risks associated with data breaches and the imperative for businesses to bolster their cybersecurity measures. For business owners, understanding the tactics leveraged by cyber adversaries is essential in cultivating a robust defense against potential incursions into their systems. Further reading on the settlement can be accessed through public legal channels.
