Denali Denies Wrongdoing Amidst Claims That Its CTO Hacked Ex-Employer Columbia Sportswear
Solution provider Denali Advanced Integration denies allegations made in a lawsuit last week that its CTO illegally hacked the private network of one of its customers, apparel heavyweight Columbia Sportswear, to benefit Denali financially.
"We absolutely dispute the claim that Denali was involved in any wrongdoing," said Majdi Daher, CEO of Redmond, Wash.-based Denali, Friday in emailed responses to questions from CRN... "We are working diligently – on our own and in cooperation with investigating authorities – to surface the facts, and we fully believe that they will underscore Denali's integrity."
Denali is conducting an investigation into the allegations with the help of a third-party cybersecurity firm and legal counsel.
In a 19-page lawsuit filed with the U.S. District Court in Portland, Columbia accuses Denali CTO Michael Leeper of using dummy email accounts on more than 700 occasions to illegally view internal communications concerning deals in which Denali had a financial interest, emails between Columbia and Denali's competitors, and confidential documents related to Columbia's long-range IT budget plans.
Denali has placed Leeper – a former Columbia employee – on paid leave and engaged investigators for the second time in its efforts to get to the bottom of the allegations, Daher said. Denali, No. 92 on the CRN Solution Provider 500, first placed Leeper on leave and began an internal investigation last fall after it first became aware of the allegations.
Leeper was reinstated a month later after the original internal investigation offered no indications of wrongdoing, Daher said.
"We have no information that validates these claims [by Columbia], despite a comprehensive study that includes deep investigation into Denali technology systems and in-depth interviews with all Denali parties who have had any contact with Columbia Sportwear," Daher said in the email to CRN, adding that he was "dumbfounded" by Columbia's claims.
Daher said authorities first contacted Denali on Oct. 21, 2016, to demand records of Leeper's interactions with Columbia, but didn't provide detailed information about the allegations. In response, Denali immediately placed Leeper on leave and hired the third-party data incident investigation and response firm to conduct a forensic investigation, Daher said.
Before joining Denali in March 2014, Leeper spent 14 years in Columbia's IT department, rising to the role of senior director of technology infrastructure. As a result, Columbia said Leeper had nearly unlimited access to the company's private computer network, including thousands of secure email accounts used by Columbia employees around the world.
One day before Leeper left Portland, Ore.-based Columbia, the company alleges he created a separate, unauthorized account under a false name so that he could continue accessing Columbia's private computer network. Leeper was one of very few Columbia employees authorized to both create new accounts and give existing accounts permission to access otherwise forbidden parts of the network, according to the lawsuit.
Columbia has additionally accused Leeper of giving a dormant service network account several new permissions that would allow a user of the account to access other Columbia employees' email accounts.
The company is seeking economic and punitive damages, attorneys' fees, and prohibiting Denali and Leeper from using any unlawful Columbia information they still possess, according to a lawsuit filed March 1 with the U.S. District Court in Portland. Columbia said it has spent $5,000 on outside council, and an additional $5,000 worth of employee time probing the intrusion.
While a Columbia employee, Leeper initiated Columbia's business relationship with Denali in 2012 and was responsible for procuring hardware, software and consulting services from the solution provider, according to the suit. Daher said Denali beat out two other solution providers to earn a contract to be Columbia's EMC systems integrator.
Once Leeper joined Denali two years later, he helped manage the business relationship with Columbia, regularly contacting employees in Columbia's IT department to discuss ways Denali could expand its business with Columbia, the suit says. Denali's contracts prohibit hiring people from customer organizations unless the decision is reached with mutual agreement, Daher told CRN.
Leeper is currently on paid leave from Denali, and does not have access to Denali customers, vendors, employees or other data, the company said. Leeper receives a fixed salary and bonus from Denali, Daher said, and does not have any incentives connected to sales or business development.
Columbia claims that Leeper hacked into the email accounts of two Columbia IT employees responsible for procuring computer hardware and software from solution providers like Denali. Additionally, Leeper is alleged to have accessed messages containing contracts signed between Columbia and Denali's competitors, as well as detailed spreadsheet projecting Columbia's IT spending in the coming years.
Specifically, Columbia alleges that in July 2016, Leeper read intra-office employee messages with the subject title "Pure Storage Partner Discussion," in which Columbia was exploring a potential transaction with the vendor. Denali was not at the time an approved reseller for Pure Storage but become one in the months following Leeper's reading of this message, Columbia claims.
Daher said individuals from both Columbia and Pure Storage told Denali's account team that Columbia was considering Pure Storage as an alternative to its current system. Denali pitched a Pure Storage solution to Columbia, Daher said, but the company ultimately opted to remain with EMC and source the solution from a company other than Denali.
The scope of Denali's storage and data management work with Columbia stayed steady if not actually dropped a little after Leeper came on board, Daher said.
In total, Columbia alleges Leeper hacked into at least eight of its employees' email accounts during the late summer and early fall of 2016, and additionally accessed other documents and information stored on Columbia's network.
Columbia said it detected Leeper's intrusions while implementing an upgrade to its email system during the summer of 2016. The company said it reported the matter to the FBI and began monitoring Leeper's two unauthorized accounts.
Columbia in the lawsuit said it has been unable to determine whether Leeper or Denali still possess any of the confidential business information they unlawfully accessed during the hacking. The only Columbia-related information possessed by Denali, according to Daher, are materials provided by the company to Denali's sales and technical team to enable them to do authorized work.
Daher said he has personally reached out to partners, customers and employees to inform that of Columbia's lawsuit and reassure them that Denali is committed to protected their information and security. Many stakeholders have come back with support and confidence in Denali and its practices, Daher said, particularly after reviewing the company's policies.
Denali has additionally documented with customers information about any Denali employees who used to work for them, and reinforced the company's attention and care to secure practices, Daher said. The company constantly audits its employees with access to customer networks to ensure that they are using their access appropriately and only for the work they have been hired to do, according to Daher.
"We are devoted to continuing to earn the trust of our customer, partners and employees for decades to come," Daher said. "Shining a light on the facts is our number one priority."