Columbia Sportswear is suing its former top IT director for allegedly setting himself up with a fake email account the day before he left and then using it to hack the company for more than two years.
The complaint alleges that Michael Leeper used that account to slip into the sporting goods maker’s system 700 times.
As Columbia tells it, three years ago, after 14 years of working at the company, Leeper left his job as senior IT director to become CTO at the technology consultancy and reseller Denali Advanced Integration, which was one of Columbia’s vendors.
Well, at least, Columbia management thought Leeper left. In fact, they’re now claiming, their senior IT guy didn’t entirely leave. Rather, he allegedly left one foot in the network door so he could get back in and do a bit of electronic raiding to benefit his new employer.
According to a lawsuit Columbia filed in US District Court for the District of Oregon on March 1, Leeper was hired into desktop support in 2000 and steadily rose through the ranks. By the time he left in 2014 to work for Denali, he was senior director of IT infrastructure at Columbia. As such, he had his fingers in all the pies: global IT systems, dealings with technology vendors, Columbia’s email systems, and its broader private computer network.
His duties required him to have “nearly unlimited access to the company’s network,” the lawsuit explains. That gave him a unique advantage:
…while the vast majority of Columbia employees were (and are) permitted to access only their own email accounts and limited other parts of the company’s private computer network, Leeper could access nearly all of that network, including thousands of other employees’ company email accounts. Additionally, unlike the vast majority of other Columbia employees, Leeper could create new network accounts and give existing accounts “permissions” enabling them to access otherwise forbidden parts of Columbia’s network.
Leeper had access to execs’ email accounts, as well as to the company’s finances, its strategic planning, and plenty of other sensitive, proprietary knowledge.
As a reseller, Denali worked as a middleman between Columbia and hardware and software vendors like EMC and IBM from about 2012 to 2016. Denali wasn’t the only reseller competing for Columbia’s business, though. If Denali were to know what hardware or software Columbia needs and what it’s willing to pay, Denali would have that much of an edge over the competition.
On March 2, 2014 – his penultimate day at Columbia – the sporting goods company alleges that Leeper surreptitiously set up a network account under a false name, “Jeff Manning”. The “jmanning” account would enable him to log on remotely to Columbia’s network, according to the complaint.
Columbia alleges that the jmanning account gave Leeper access points to the network via:
- Virtual Private Network (VPN)
- Virtual Desktop Infrastructure (VDI)
- Employees’ private company email accounts (in conjunction with an older “service” network account named “svcmom”
After allegedly boosting permissions on those accounts, Columbia says that Leeper spent the next two and a half years hacking the network on 700 separate occasions. He allegedly went after IT employee emails, accessing dozens of emails on each occasion and allegedly getting unauthorized access to IT equipment upgrade budgets, detailed spreadsheets showing various aspects of Columbia’s prior IT spending and projected spending, communications between Columbia and Denali’s competitors, and, in some cases, contracts between Columbia and Denali’s competitors.
Columbia says it picked up on the network intrusions while implementing an upgrade to its email system in 2016. It reported the matter to the FBI, lawyered up, set about closing down the breach, and tasked its employees to figure out who was behind it.
Columbia is charging Leeper and Denali with violating the Computer Fraud and Abuse Act (CFAA) and the Wiretap Act. It’s also charging Leeper with breaching loyalty.
Columbia’s complaint says that Denali and Leeper haven’t cooperated with its efforts to find out what confidential business information was accessed and what information Denali might still hold.
Columbia has asked the court to order Denali and Leeper to destroy any information they obtained from their intrusion. The company is seeking an unspecified sum in damages.
How do you protect against your own?
We’ve written about insider threats before. Late last year, Jonathan Lee, Sophos’s UK healthcare sector manager, outlined five things healthcare organizations can do to better protect patient data.
They’re good advice, whether you work in a healthcare organization, a sporting goods retailer, or any other industry, so here they are again:
1. Know your risk
The first thing to do is carry out a thorough risk assessment so that you know what threats you face, understand your vulnerabilities and assess the likelihood of being attacked. It’s only when that is complete that you can go on to the next stage of creating an integrated cybersecurity plan.
2. Follow best practice
Health organizations – and others, too – too often spend money on cybersecurity solutions but then fail to properly deploy them. Make sure you’re following the recommendations for best practice when deploying your defenses.
3. Have a tried and tested incident response plan
Work on the assumption that an attack will happen and ensure you have a tried and tested incident response plan than can be implemented immediately to reduce the impact of the attack.
4. Identify and safeguard your sensitive data
It’s almost impossible to protect all your data all of the time, so identify the information you keep that would harm your organization if it were stolen or unlawfully accessed and implement suitable data security procedures to ensure it is appropriately protected.
5. Educate employees
With so many breaches being the result of something an employee has done – inadvertently or otherwise – part of your cybersecurity plan must be to make sure all your staff know the risks they face and their responsibilities. Educating them is your job, and should be part of your plan.
Tom Maz
At the top of the list, I would put:
1. Separation of duties
2. Proper HR/Off-boarding policies
3. Auditing of user accounts & comparing with HR records