Feds Charge Ex-Denali CTO Michael Leeper With Computer Fraud In Columbia Sportswear Hacking Case
Federal prosecutors have accused the former CTO of solution provider Denali Advanced Integration of unlawfully accessing Columbia Sportswear's network to view commercially valuable and private information.
The U.S. Attorney's office has charged ex-Denali CTO Michael Leeper (pictured) with one count of computer fraud, claiming that Leeper remotely and intentionally accessed Columbia's network between March 2014 and October 2016 to gain a commercial advantage. Before joining Denali in March 2014, Leeper spent 14 years in Columbia's IT department, rising to the role of director of technology infrastructure.
"After leaving Columbia, defendant continued to remotely access Columbia's network, accessing and viewing commercially valuable and private information," Billy Williams, U.S. Attorney for the District of Oregon, wrote Thursday in a three-page felony introductory allegations filing.
[Related: Denali Denies Wrongdoing Amidst Claims That Its CTO Hacked Ex-Employer Columbia Sportswear]
If Leeper is convicted of computer fraud, the U.S. attorney's office said he will be required to forfeit any money or proceeds obtained from the alleged hacking as well as any property used to commit or facilitate the hacking. Apparel heavyweight Columbia Sportswear had been a customer of Redmond, Wash.-based Denali, No. 83 on the 2017 CRN Solution Provider 500.
Samuel Kauffman, Leeper's attorney, declined to comment, while Denali did not immediately return a request for comment on this story.
Denali has not been charged with anything by the U.S. Attorney, but is a named defendant in a civil lawsuit filed by Portland, Ore.-based Columbia in March. Denali denied any wrongdoing in the civil case, which is still pending.
In a 19-page lawsuit filed March 1 with the U.S. District Court in Portland, Columbia accuses Leeper of using dummy email accounts on more than 700 occasions to illegally view internal communications concerning deals in which Denali had a financial interest, emails between Columbia and Denali's competitors, and confidential documents related to Columbia's long-range IT budget plans.
Denali CEO Majdi Daher told CRN on March 10 that Leeper had been placed on paid leave while the solution provider conducted an investigation into Columbia's allegations with the help of a third-party cybersecurity firm and legal counsel. Four days later, Denali announced in a statement that Leeper's employment with the company had been terminated.
’In conducting our own investigation into claims made by Columbia Sportswear, we discovered that Mike [Leeper] violated Denali policy through his use of a personal laptop that he acquired while employed by Columbia, and that he had used for his work at Columbia,’ Daher said in the March 14 statement. ’This violation spurred his termination.’
Nate Beck, formerly a principal architect with Denali, was promoted in March 2017 to be Denali's chief technologist, according to LinkedIn.
As a result of Leeper's time in Columbia's IT department, the company said Leeper had nearly unlimited access to the company's private computer network, including thousands of secure email accounts used by Columbia employees around the world.
One day before Leeper left Columbia, the company alleges he created a separate, unauthorized account under a false name so that he could continue accessing Columbia's private computer network. Leeper was one of very few Columbia employees authorized to both create new accounts and give existing accounts permission to access otherwise forbidden parts of the network, according to the lawsuit.
Columbia has additionally accused Leeper of giving a dormant service network account several new permissions that would allow a user of the account to access other Columbia employees' email accounts.
In total, Columbia alleges Leeper hacked into at least eight of its employees' email accounts during the late summer and early fall of 2016, and additionally accessed other documents and information stored on Columbia's network.
Columbia said it detected Leeper's intrusions while implementing an upgrade to its email system during the summer of 2016. The company said it reported the matter to the FBI and began monitoring Leeper's two unauthorized accounts.
Columbia is seeking economic and punitive damages, attorneys' fees, and an order prohibiting Denali and Leeper from using any unlawful Columbia information they still possess, according to the lawsuit.