The 27-year-old must also pay $235,488 in costs to Washtenaw County. This amount is reported to be the full cost of investigating and addressing the security breach.
According to Voits' guilty plea, made through a plea agreement in December 2017, from January to March in the same year, the man engaged in a campaign to break out an inmate.
Voits first turned to social engineering and attempted to lure prison staff into visiting the domain ewashtenavv.org, swapping out the "w" in the true ewashtenaw.org prison website domain in an attempt to appear legitimate.
This malicious domain was a full copy of the real prison website, but also contained malware. Voits called prison staff, masquerading as "Daniel Greene" and requesting help with "court records," which required them to visit the fraudulent website.
The spear-phishing campaign, designed to lure staff to visit the malicious domain and both download and execute malware on prison PCs, failed.
Viots was not discouraged, however. The man then proceeded to call and email the prison, pretending to be county IT staff in the midst of upgrading the prison's systems. During emails and calls, Voits asked prison employees to visit the malicious domain and to download executable "upgrade" files which contained malware.
Not only did some members of staff fall for the second scheme, but the 27-year-old was also able to gain remote access login details from one employee.
The hacker then installed malware on prison systems which was able to collect information including login credentials, emails, and personal information belonging to over 1600 employees.
Voits was also able to access the XJail system, an internal application which dealt with prisoner records.
In March, he accessed XJail and tampered with the records of at least one inmate.
However, the hacker underestimated the prison's staff. The tampering was detected almost immediately, the changed record was corrected, and the FBI -- alongside a cyberforensics firm -- were called upon to track down the intruder.
"Voit's intrusion compelled the county to hire an incident response company to determine the full extent of the breach, to reimage numerous hard drives, to verify the accuracy of the electronic records of nearly every then county jail inmate, and to attempt to reassure the 1600 county employees whose personal data had been compromised by purchasing an identity theft program for county employees," the agreement states.