Last year, Jason Cornish resigned from his information tech job at Shionogi offices in Georgia after a dispute with a senior manager. However, he was subsequently retained as a consultant, but later resigned and then a co-worker and friend was laid off. And so this past February, Cornish hacked into the Shionogi network and wiped out most of the drugmaker’s computer infrastructure.

Having pled guilty this past August, Cornish was sentenced late last week by a federal judge in New Jersey, where Shionogi maintains US headquarters, to 41 months in prison and also ordered to pay $812,567 in restitution. He also faces three years of supervised release, which includes computer monitoring and occupational restrictions, according to court documents (see here).

His hacking, which the Japanese drugmaker initially estimated cost about $300,000, paralyzed communications and order tracking systems for several days. How did Cornish manage this? Several times last fall and winter, he allegedly gained unauthorized access to the Shionogi network from his home Internet connection using administrative passwords to which he had access as an employee (read this).

As we noted previously, Cornish appeared rather cavalier or unsophisticated for an IT specialist. The FBI was called in and examined Shionogi remote access firewalls, which yielded the IP address from where his attack originated. The feds then contacted AT&T, which led them to a McDonald’s, where he used a Visa credit card to spend $4.96 just five minutes before the attack. And Bank of America later confirmed that this card belonged to Cornish.

Hacking by current and former employees is a regular concern, of course. And while not everyone may be as easy to detect as Cornish, disgruntled employees can clearly do damage with seemingly little effort, especially when passwords are not disabled and disaster recovery plans are not tested.