For Denali Advanced Integration, the stakes couldn’t be higher.
A massive former client – Columbia Sportswear Company – is accusing the Redmond, Wash.-based reseller and IT services provider of hacking into its systems to access emails and other data that Denali could use to win more business from the apparel maker.
Denali says that Columbia has yet to hand over enough information for the services provider to determine the scope of any intrusion.
If it did occur, Denali said, it was the work of a rogue former chief technology officer and that the company had no knowledge of what was going on.
The dispute is the subject of a mushrooming legal saga making its way through the federal courts.
On Thursday, Denali’s former CTO – Michael Leeper – was charged with a single federal count of computer fraud.
That came just two days after Hartford Fire Insurance Co., sued Denali in federal court, arguing its policy covering the IT services firm doesn’t apply in the event of dishonest or illegal conduct.
If Hartford gets the declaratory judgment it seeks, Denali will be on the hook for any civil penalties and legal fees, should it be found liable in the Columbia case.
That’s in addition to losses Denali says it has already incurred.
“Columbia’s allegations caused Denali to lose multiple contracts with existing customers and potential new customers, hindered Denali’s ability to recruit new employees, and caused Denali to lose some employees,” lawyers for the IT provider wrote in court papers seeking a dismissal of the case. “Denali’s damages can be assessed at over $1 million in existing and potential business.”
The insurer says the circumstances of the case fall outside of the policy’s coverage.
“Hartford is entitled to a declaratory judgment that it has no obligation to defend or indemnify Denali or Leeper in the Underlying Suit because Columbia’s allegations were not “caused by a glitch in [Denali’s or Leeper’s] performance of technology services” for Columbia or any other person,” Hartford’s lawyers wrote.
Leeper – who is also a defendant in the March 1 lawsuit – repeatedly invoked his Fifth Amendment right against self-incrimination in court papers.
Columbia seeks economic, statutory and punitive damages for computer fraud, wiretapping and conversion.
“Defendants’ continued possession of any such information, and any past or future use or dissemination of such information, threatens Columbia with irreparable harm for which there exists no adequate remedy at law,” the suit states.
Finding ‘Jeff Manning’
Denali and Columbia did business from 2012 until 2016, with the former selling computer hardware, software and consulting services.
Prior to becoming CTO at Denali in March of 2014, Leeper worked in IT at Columbia for 14 years, climbing to the role of senior director of technical infrastructure.
The position offered unique access to virtually every corner of that company’s private computer network.
But before he left – on his second-to-final day, the suit alleges – Leeper created a secret unauthorized account under the fake name, Jeff Manning.
Using the “jmanning” credential, Leeper was allegedly able to remotely access Columbia’s virtual private network (VPN) and its virtual desktop infrastructure (VDI).
In addition, Leeper is accused of using an obsolete service network account in combination with the "jmanning" account to access actual employee emails, including those of key executives.
Columbia officials discovered the unauthorized account during an upgrade of the company’s email system in summer 2016 – about two and a half years after the account was created.
By then, it’s believed Leeper entered Columbia’s network more than 700 times to access emails, strategic planning documents and other data.
Columbia mobilized an internal investigatory team, called in the FBI, hired outside legal counsel and brought in a forensic computer security consultant.
The trail led right to Leeper, the clothing maker claims, and the information accessed appeared to be of direct benefit to his new employer.
“Denali could have derived commercial benefit during its business relationship with Columbia from predicting what particular computer hardware or software Columbia needed, what Columbia was willing to pay for that hardware or software, and what Columbia’s growth and strategic plans entailed for its future IT needs,” Columbia’s lawsuit says.
In some cases, Leeper is alleged to have monitored email exchanges in real time among a pair of Columbia employees with involvement in the technology procurement process.
“Leeper worked with both employees during his employment with Columbia and knew their respective roles well,” the suit claims. “During the period in which he was unlawfully hacking into their email accounts, Leeper would occasionally contact one of the two employees and discuss ways in which Denali potentially could expand its business with Columbia.”
One email conversation in July of 2016 discussed Columbia’s interest in purchasing enterprise flash storage products from vendor Pure Storage, Inc.
“Though Denali resells equipment of the type that Pure Storage manufactures, Denali was not at that time an approved reseller for Pure Storage,” the suit states.
“As a result, Denali would not have been eligible to participate as a reseller in that transaction,” it continues. “However, during the summer or early fall of 2016, Columbia learned that Denali had become an ‘approved’ Pure Storage reseller.”
Denali denies wrongdoing
On the morning of Oct. 21, 2016, FBI agents raided Leeper’s home, hauling away computers and other evidence.
They also visited Denali’s offices in Redmond to speak with founder Majdi Daher and serve him with a notice to preserve records, court papers show.
“Mr. Daher pledged Denali’s full and continuing cooperation with the FBI’s investigation,” the company’s lawyers wrote.
Leeper was placed on paid administrative leave a week later, pending the outcome of Denali’s internal investigation.
At the time, Denali had not been informed of the “jmanning” log in credentials, and said in court papers that Columbia was unwilling to share information that would allow for a more thorough review by the service provider and its outside cyber security consultant.
Leeper denied any wrongdoing and was allowed to return to work in late November.
“Denali told Leeper that if he had gained unauthorized access to Columbia’s computer systems, his employment with Denali would be terminated immediately,” the IT provider’s lawyers wrote.
In late February, Columbia provided Denali with a draft complaint containing new details about the network intrusions.
Denali followed up on the new claims and fired Leeper on March 14.
“Leeper was terminated because Denali’s follow-up investigation revealed that Leeper’s MacBook Air—acquired while he was employed by Columbia and that he had used for work at Columbia—still had information on it from his prior employment at Columbia,” the IT firm said in court filings. “This fact violated Denali employment policies and for that reason, Denali terminated Leeper.”
Denali denies that it did anything wrong.
“While there is some evidence that Leeper had certain Columbia information on a personal laptop that he acquired before starting his employment at Denali, there is no evidence that he committed any hacking at Denali’s direction, request, or encouragement, nor that he passed on any confidential Columbia information to Denali so that Denali could obtain an unfair commercial advantage with Columbia or competitors of Denali,” court papers said.
The IT services provider is vowing to fight in court to clear its name.
“It is now very clear that Columbia’s complaint was written in a manner to suit a pugnacious narrative to put immediate and maximum pressure on Denali,” lawyers wrote. “The problem is that Columbia had and still has no evidence to support its aggressive allegations.”
Columbia has until Sept. 9 to file a response to Denali’s request to dismiss the case.
Send tips and news to [email protected].