Corporate cyber-espionage alleged by petroleum software developer

The president of Platte River Associates, a United States software development company, has pleaded guilty to charges of hacking into a competitor’s website and copying commercially sensitive files. The company develops specialist petroleum exploration software, and the target of the cyber-espionage was Zetaware, one of its chief competitors. It all smells rather suspect: the executive, a Mr Leonard, admitted to accessing a password-protected area of Zetaware’s website using a password he had been given, and then copying the files from an anonymous wireless hotspot in a Houston airport. When he mentioned the files in a Platte River staff meeting the following week, word leaked back to Zetaware and subsequently to the police. Leonard was sentenced to 12 months’ probation and a fine of USD $100 000.

One has to wonder about this case. Why were ‘sensitive documents’ left in an unencrypted format on a corporate website, protected only by a simple and widely-known password? How did Leonard happen upon the password? Perhaps there were information conduits on both sides — how else did word get back to Zetaware? Injury aside, is it possible Zetaware had a commercial motive of its own for ensuring Leonard was prosecuted? Although it’s unclear from the news reports whether the basis of the conviction was recorded under an anti-hacking or unfair competition statute, either avenue was potentially available to prosecutors. This is interesting because it reflects a growing overlap between subject-specific cybercrime legislation and generic norms of criminal conduct. This case is a timely reminder to businesses why private documents should never be entrusted to a public web server, whether or not protected by an .htaccess mechanism.