(Alleged) Spammer Squares Off With (Alleged) Hacker, Highlighting Risk of Cyber Threats

What’s in a name?  Obviously a lot, as businesses in all industries invest significant time and money to protect their reputations.  But, in some sectors, the line between positive and pejorative can be quite thin.

Take email marketing and cybersecurity, for example:  What exactly distinguishes a successful high-volume email marketer from a spammer?  And how can we distinguish a well-intentioned security analyst exposing vulnerabilities from a nefarious hacker?  (Those familiar with techspeak will surely recall the familiar “white hat” and “black hat” dichotomy, but even that, as Wired has observed, is subject to gray areas of its own.)

It’s these gray areas that are taking center stage in a recent dispute in the Eastern District of Washington.  The lawsuit, filed on March 21, 2017, by Washington-based marketing firm River City Media, LLC, centers on an exposé published on the blog MacKeeper.com, alleging that River City was operating a large-scale spam operation involving 1.4 billion email accounts.

In the blog post, security researcher Chris Vickery claimed he “stumbled upon” a publicly exposed database maintained by River City containing massive amounts of personal data, including email addresses, IP addresses, and consumer data.  River City contends otherwise.

In its complaint, which alleges, among other things, violations of the Computer Fraud and Abuse Act and the Defend Trade Secrets Act, River City claims that Vickery was not a security professional, but instead, a “vigilante black-hat hacker” who broke into its system and took confidential, sensitive and proprietary data.  River City learned of a cyber breach in January 2017 but didn’t discover the source of the breach until publication of Vickery’s blog post.  The reason for this, it contends, is that Vickery attacked and compromised the firm’s servers, which “effectively hamstrung River City’s ability to detect and stop [the] cyberattack.”  If Vickery is correct in saying that he simply “stumbled upon” the database, the company argues, “there would have been no need to attack and compromise one of River City’s primary intrusion detection systems nor to purposefully destroy the ‘netbox,’ deleting files critical to River City’s operations.”

So what happens next?  It’s still very early, and neither Vickery nor the other defendants (which include a handful of publications that picked up his story) have responded to the complaint, so we don’t know whether the dispute will settle quietly or evolve into full-fledged litigation.

It appears that Vickery is no stranger to litigation.  Over the past few years, he has made a name for himself, exposing data security issues in systems ranging from Mexican voter databases to an online community for Hello Kitty fans.  In an August 2016 interview with Business Insider, he spoke about some of his past legal battles, noting that “[o]n the civil side, ultimately people calm down and realise I’m not a bad guy, and it kind of works out that way.”  Time will tell whether River City sees things the same way.

In the meantime, businesses concerned about protecting their trade secrets and other valuable information from cyberattacks are well advised to familiarize themselves with the various types of threat actors.  These include not only competitors and malicious insiders, two familiar sources of threats, but also organized crime and so-called “hacktivists.”  In addition, for those of the “best offense is good defense” mentality, it can never hurt to stay on top of cybersecurity developments and implement an approach that is proportional to the nature of the risk involved.