A cybersecurity expert who was supposed to help protect a Westchester cybersecurity company from hackers has been sentenced to prison for trying to extort $1.5 million from the client.
U.S. District Judge Vincent L. Briccetti sentenced Vincent Cannady to three years and a month in federal prison, on Jan. 23, followed by two years of supervised release.
Cannady, according to court records, threatened to release highly sensitive information that would have imperiled Kyndryl Holdings Inc.’s “reputation and shake investor confidence.”
In 2022, Experis Manpower Group, of Milwaukee, hired Cannady, of El Dorado Springs, Missouri, as a cybersecurity consultant. He was assigned to Kyndryl, a publicly-traded company that provides internet technology infrastructure services to multinational businesses. Kyndryl was spun off from Armonk-based IBM in 2021, is headquartered in Manhattan and has offices in Rye Brook.
Cannady was fired in June 2023 “for performance reasons,” according to a criminal complaint filed in 2024. Days later he uploaded more than 800 Kyndryl files to his personal cloud account.
The files included sensitive information, such as penetration test reports and diagrams of computer systems that hackers could use to breach Kyndryl’s systems.
For six months he repeatedly demanded a “settlement” from Kyndryl and Experis to stop him from disclosing the information or suing them. One email message, for instance, was copied to two journalist and included the statement, “I have a great business news story for you to share with your editors.”
He continued making threats even after Kyndryl got a federal court to issue a temporary restraining order prohibiting Cannady from disclosing information.
This past September, a federal jury in White Plains convicted Cannady of attempted extortion.
The U.S. Probation Office calculated that he could be imprisoned for 70 to 87 months, under nonmandatory sentencing guidelines.
Cannady, who represented himself in the case, requested no jail time, in a sentencing memorandum submitted to the judge.
His demands were merely settlement negotiations ordered by a judge in a lawsuit with his employer. “A defendant cannot be ordered to negotiate and then prosecuted for doing so,” he argued.
Cannady says he had a First Amendment right to petition his employer. He made no threats of violence, property damage or physical harm. Kyndryl is not a helpless victim, but rather a multinational cybersecurity corporation represented by elite counsel. No crime occurred. No money was obtained. He poses no danger to the public.
The alleged harm, he stated, “consisted of corporate inconvenience, legal fees, and reputational concerns – none of which constitute extortion damages.”
Assistant prosecutors Reyhan Watson and James McMahon recommended imprisonment of 97 months.
Cannady abused a position of trust when he threatened to release critical infrastructure information unless Experis paid him $535,000 and Kyndryl paid him $1.5 million.
He gave false testimony in the trial. He still claims his conduct was lawful. And he minimized his actions as being the result of a 3-year-long period of anger due to alcohol.
“Absent a meaningful sanction,” the prosecutors argued, “Cannady has made clear that he will reoffend or leverage sensitive information again when it suits him.”
Cannady filed an additional sentencing recommendation on the day he was sentenced. He asked for access to Veterans Administration services, including PTSD, alcohol, mental health and medical treatment.
Judge Briccetti recommended that the Bureau of Prisons place Cannady in a Missouri facility that is capable of treating his medical and mental needs.
