Nary a day goes by when we don't read about someone hacking into something. Frankly, we've grown a bit blase' about such things. A recent criminal Complaint, however, provides us with a fascinating details about the detective work involved in uncovering clues and ferreting out the mastermind behind allegedly unauthorized online access. At issue is the creation of an oil and gas industry website and the sale of that site for $51 million. Then the same guy who created that first site, builds another website eerily similar to the one that he had sold, and . . . well, here's where it gets interesting: The online entrepreneur attempts to sell the second site to the same folks who bought the first one from him. What makes that fact pattern illegal, you might ask. What's wrong with staying with a formula that already worked? Okay, maybe that's going to be the defendant's defense.Case In Point On March 30, 2016, the United States Attorney for the Southern District of New York ("SDNY") announced that it had unsealed a Complaint against David W. Kent, 40, Spring TX, alleging one count of Conspiracy and one count of Wire Fraud. If convicted, Defendant Kent faces a maximum of 5 years in prison (Conspiracy) and 20 years in prison (Wire Fraud). United States of America v. David W. Kent, Defendant (Complaint, 16-MAG-1906, SDNY, March 23, 2016) NOTE: A Complaint merely contains allegations and a defendant is presumed innocent unless and until proven guilty beyond a reasonable doubt in a court of law.What caught my eye about this Complaint was the interesting fact pattern - one which got me thinking about how to better protect clients who might find themselves exposed to the same possible crimes.In the Beginning Reduced to its basics, the Complaint alleges that in 2000, Kent founded a website, which, in part, offered oil and gas industry professionals the ability to post resumes and other personal/professional information in order to facilitate networking. After opening a website account, the member used a username and password to logon. Kent realized income from this website through the sale of advertising and fees from recruiters and employers who were looking for job applicants.Payday Apparently, Kent was on to something because by August 2010, a publicly-traded New York City-based company paid him $51 million for the website. The Complaint asserts that at the time of the sale, the member database was worth about $6 million. Thereafter, as more fully explained in the Complaint:
17. On or about August 9, 2010, DAVID W. KENT, the defendant, entered into an employment agreement with Company-1 (the "Employment Agreement"), agreeing to continue to serve as President of Website-1 after the acquisition. As part of the Employment Agreement, KENT agreed to not participate in any business that competes with Website-1 while employed by Company-1. KENT also agreed to refrain from competing with Company-1 if he left Company-1, until the expiration of the latter of three years after the signing of the Employment Agreement, or two years after leaving the employ of Company-1 (the "Non-Compete Period."18. In or around September 2011, DAVID W. KENT, the defendant, left Website-1. In or about October 2013, shortly after the earliest possible expiration of the Non-Compete Period, DAVID W. KENT, the defendant, announced that he had founded Oilpro.com ("Oilpro"), which also provides networking service to professionals working in the oil and gas industry. Oilpro is headquartered in Houston, Texas.
a. On or about February 26, 2014, an individual who had created a member profile with Website-1 ("Member-1") contacted Website-1's customer support line. Member-1 stated, in sum and substance, that Member-1 had received an email solicitation from Oilpro to use Oilpro/s services even though Member-1 had never provided any information in the past to Oilpro. b. An internal review of Website-1's computer systems revealed no evidence that any employee of Oilpro had viewed Member-1's profile using an account created through Website-1. c. To determine if the Members Database was being accessed improperly, employees of Company-1 created two fictitious member accounts and populated them with names and email addresses that were only available through Website-1's Members Database.As further explained in the Complaint, on April 14, 2014, the fictitious member accounts received an email from an Oilpro employee soliciting a membership on Oilpro. In tracking down how the Oilpro employee obtained the contact information, it was discovered that on October 17, 2013, about 100,000 HTTP requests were submitted to the Member Database through the use of what was identified as a Get Resume Command, which was crafted to exploit a piece of source code unique to Website-1 and known only to a few individuals, including Kent. This was but the first round of identified hacking. Bill Singer's Comment