PORTLAND — Columbia Sportswear has sued a former IT employee whom it contends hacked into its email system for more than two years in a bid to land more work for his new boss.
Michael Leeper accessed the emails of Columbia’s senior executives and IT department in hopes of gleaning information that would help him win technology contracts with the company, according to a lawsuit filed March 1 in U.S. District Court in Portland.
Leeper left Portland-based Columbia in 2014 to join Denali Advanced Integration of Redmond. The suit names Leeper, Denali and Denali’s parent company, 3MD Inc.
The complaint discloses a glaring security lapse at one of the biggest companies in the hyper-competitive apparel and footwear world. It’s an industry that zealously guards its intellectual property and routinely requires senior employees to sign non-disclosure and non-compete agreements.
But as hackers grow more sophisticated, it’s becoming harder for even the most cautious companies to fend them off. Corporate hacking has become big business — estimated to have cost the global economy $445 billion in 2016 alone.
Some hackers simply steal and resell credit card numbers. Others use encryption and ransomware to extort money from victims and evade detection.
The hack cited in the lawsuit was neither. Rather, it allegedly was carried out by a former insider hoping to give his new employer a competitive edge.
Columbia, which reported nearly $2.4 billion in sales in fiscal 2016, declined comment for this report. In a written statement, it praised the “diligent efforts of our IT employees” for uncovering “this invasion of Columbia’s privacy” last summer. It also said it forwarded the matter to the FBI.
Denali, a middle-man reseller of computer hardware and software, said it has placed Leeper on leave. “These claims astonish us, and they in no way reflect Denali or its values, this is not who we are,” said Majdi Daher, Denali chief executive officer. “We look forward to illuminating the facts, and to demonstrating Denali’s integrity.”
Leeper, 41, had a senior role in Columbia’s IT department that gave him nearly unlimited access to the company’s computer network for 14 years. In February 2014, he notified Columbia that he was leaving to join Denali, which had been doing business with Columbia for two years.
Columbia terminated Leeper’s computer access. But on the day before his departure, Leeper allegedly set up another unauthorized account under a fake name — Jeff Manning or jmanning (The inspiration of that name is not clear. It is the name of The Oregonian/OregonLive reporter who covers Columbia and other Oregon apparel and footwear makers).
Using the jmanning credentials, Leeper repeatedly gained access to proprietary information, the suit says. Columbia’s records indicate that “jmanning” accessed its electronic systems 700 times.
Leeper apparently hit upon useful commercial information. He allegedly learned through employee emails that Columbia was considering the purchase of technology from a company called Pure Storage Inc. Denali at the time didn’t sell Pure Storage products. But Leeper swiftly got Denali on the list of Pure Storage vendors, according to the lawsuit.
Columbia says it detected the breach when it upgraded its software last summer. It is seeking unspecified damages.
