/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow UsWarren Leggett had just spent the long July 4 weekend golfing with his
brother-in-law near Portland, Ore. Early the following Monday morning, his
relaxing holiday ended abruptly. The chief information officer of Niku Corp. (NIKU
), a small Silicon Valley software company, found himself plunged into a
shocking case of alleged corporate espionage–one that raises troubling
questions about the security of company information in the Internet Age.
It all started when Leggett’s brother-in-law, Jay Berlin, a mid-level tech
manager at Nike Corp. (NKE ), agreed to view a demonstration on July 8 of Niku’s
software, which helps companies collaborate on big projects over the Web. The
morning of the meeting at Nike’s suburban Beaverton offices, Berlin checked
his voicemail–which included a message from a salesperson at Niku archrival
Business Engine Software Corp. That’s odd, he told Leggett. He didn’t even
know the firm, and he wouldn’t be the one to buy such software anyway. How did
they know to call him?
|
/dq/media/post_attachments/278ca05eb71b7d70035dd3a244e312aefa5bdfddc19b12087bd7bf7738feb8c6.jpg)
Struck by the coincidence, Leggett says, he dug into Niku’s Web access logs
the next morning and discovered that someone using Internet addresses owned by
Business Engine had used Niku passwords to sneak into Niku’s network more than
6,000 times, downloading some 1,000 documents–including one that Leggett wrote
about the planned demo for Berlin. The allegations are outlined in a lawsuit
filed on Aug. 12 in U.S. District Court in San Francisco. "We never, ever
assumed something like this could be going on," says Niku Chief Executive
Farzad Dibachi. In a written statement, Business Engine said it’s cooperating
with an FBI investigation and does not yet know all the facts around the case.
The alleged high-tech pillaging highlights a vexing problem in today’s
networked corporations: gaping holes in computer security. Passwords, which can
be easily guessed or tricked out of employees, are becoming the Achilles heel of
computer security. On Aug. 14, for example, an associate dean at Princeton
University was removed from his post after admitting he used easily guessed
passwords to access a student admissions site set up by Yale University. Indeed,
an April survey of 500 corporations by the Computer Security Institute found
that 80% of them had been broken into, resulting in combined losses of $455
million. And there are no easy solutions. "For all intents, when they are
using that password, they are inside that network," says Dorothy Denning, a
computer science professor at Georgetown University.
Now the feds are involved. On Aug. 8, at least 2 dozen FBI agents raided
Business Engine’s offices. FBI officials won’t comment. Five days later, a
federal judge issued a temporary restraining order against Business Engine and
ordered it to ask its business partners and customers to return any proprietary
Niku information it may have given them. In an Aug. 20 statement, Business
Engine said it asked Niku to work with an "independent third-party
mediator" to help resolve the case. Niku execs said that, as of press time,
they had not received that request.
/dq/media/post_attachments/5e478948a5d843171aee3738337cb549222e7ff04214fc1862dcf69b09c07ccd.gif)
The Niku lawsuit doesn’t specify damages. Company officials claim that
using that stolen information, Business Engine was able to become a last-second
competitor on several major deals, including a project at Lloyds of London,
according to court documents.
The loss of big deals couldn’t have come at a worse time for Niku, which is
struggling with the tech downturn. The still-unprofitable Redwood City (Calif.)
company has reduced its staff from 1,100 a year ago to 300 today. In the quarter
ended in July, its sales fell 38%, to $10.5 million, from the year before.
The stolen Niku files, the company contends in the lawsuit, were the crown
jewels of the software company, including upcoming features, lists of potential
customers, pricing, and customizations for clients. The downloaded items also
included one file mentioning that Leggett planned to show Niku’s software to a
project manager from Nike. That file, the only place an invader could have
learned of the Nike meeting, didn’t mention they were related.
That was strange enough, but Leggett says he kept digging and found more. He
was stunned to find that someone outside the company used 15 internal passwords
over and over again. The invasions had occurred since last October. "It was
sheer coincidence," says Dibachi. "Otherwise, who knows how long this
would have gone on?"
Even now, officials aren’t quite sure how the passwords fell into the wrong
hands. It could be weeks or months before Niku and the FBI figure that out. But
for the rest of industry, Niku’s experience is a warning call: The nearly $3.6
billion being spent worldwide on computer security clearly isn’t enough.
By Jim Kerstetter in San Mateo, Calif in BusinessWeek. Copyright 2002 by The McGraw-Hill Companies, Inc