Former MSP Exec Pleads Guilty to Hacking Client

Written by Aldrin Brown
September 12, 2017

Michael Leeper admitted he illegally accessed the network of his former employer, Columbia Sportswear Company, partly in hope that it would help him in his new job as CTO for managed services provider, Denali Advanced Integration.

The former chief technology officer for a Seattle-area managed services provider faces up to 10 years in prison and a $250,000 fine after pleading guilty to a federal felony charge of computer fraud.

Michael Leeper, who until February served as CTO at Redmond, Wash.-based Denali Advanced Integration, was accused of using his old credentials to repeatedly log into the network of his previous employer, Columbia Sportswear Company.

Denali had a four-year business relationship providing IT hardware and services to Columbia, and Leeper admitted in a 13-page plea petition that he knew the information he was accessing might benefit his new employer.

“I accessed the network purely out of curiosity, but based on the identities of some of the Columbia employees whose email accounts I accessed, I knew when I was logging into Columbia’s network that I would likely encounter information relevant to Denali’s business relationship with Columbia,” the document, filed Aug. 30, states. “In accessing and viewing some of those emails, I was motivated at least in part by my capacity as Denali’s CTO, in that I believed those emails might contain information that would be useful to Denali.”

Leeper will remain free until his sentencing on Dec. 7.

It’s unclear how the guilty plea will affect Columbia’s civil litigation against Denali, which has denied any knowledge of Leeper’s activities.

“The U.S. Attorney’s office filed the criminal lawsuit solely against Leeper after an exhaustive investigation of Leeper and Denali by the FBI and the Department of Justice,” Denali said in a statement. “No charges were brought against Denali, which has fully cooperated with the probe from the beginning.”

The MSP said it fired Leeper on March 14, 2017, after learning he had violated their policy.

Leeper worked 14 years at Columbia, rising to the role of senior director of technical infrastructure before leaving for the job at Denali in 2014.

In its lawsuit, Columbia claims Leeper created a fake account on the eve of his separation, which he used more than 700 times during the next two years to access emails and other files containing strategic information.

The information, including technology purchasing plans and budgets, would have given Denali a competitive advantage.

Denali denied it gained any competitive advantage from Leeper’s actions, and said in court papers that it anticipates losses of more than $1 million because of the case.

“As the criminal charge and plea confirms, Denali played no role in – nor benefited from – Leeper’s misconduct,” Denali’s statement said. “The company takes pride in its integrity. It does not condone unfair business practices, and will not tolerate illegal conduct.”

Also unclear, is how the plea will affect a second, related lawsuit brought by Denali’s insurer, Hartford Fire Insurance Co.

Hartford sued in federal court last month, seeking a declaratory judgment absolving it from having to pay Denali’s claims in the case.

“Hartford…has no obligation to defend or indemnify Denali or Leeper in the Underlying Suit because Columbia’s allegations were not ‘caused by a glitch in [Denali’s or Leeper’s] performance of technology services’ for Columbia or any other person,” lawyers for the insurer wrote.

Columbia – which is seeking economic, statutory and punitive damages – has until next week to file a response to Denali’s request to dismiss the civil case.

Send tips and news to [email protected].