Massive data theft leads investigators to India hackers, New York businessman

June 4, 2010 By Dan Browning

A massive data theft from the e-commerce company Digital River has led investigators to hackers in India and a 20-year-old in New York who allegedly tried to sell the information to a Colorado marketing firm for half a million dollars.

The Eden Prairie, Minn., company obtained a secret court order last month to block Eric Porat of Brooklyn from selling, destroying, altering or distributing purloined data on nearly 200,000 individuals. Digital River suspects the information was stolen by hackers in New Delhi, possibly with inside help.

Porat has said he got the information from India, but won't say how or from whom.

"I fully suspect that Mr. Porat hacked the hacker," said Christopher Madel, an attorney with Robins, Kaplan, Miller and Ciresi who is overseeing Digital River's investigation.

The matter came to light Thursday afternoon when U.S. Donovan Frank convened a public status conference in the case. The hearing was posted on the court docket without listing any of the parties involved.

A reporter attended the hearing, and Frank ordered all previously filed documents to be unsealed without objection. Frank, who co-chairs a committee on public access to the federal courts in Minnesota, said he temporarily allowed the civil case to be filed under seal -- and without notice to the defense -- so that Digital River could issue subpoenas and safeguard evidence that might otherwise be destroyed or disappear.

Digital River Marketing Solutions Inc. filed the lawsuit under seal on May 13 listing Porat and his company Affiliads LLC, as defendants and demanding to know how they obtained the firm's data and what they've done with it.

The data was originally gathered by companies that offer "affiliated marketing" programs, a practice in which businesses pay a commission to affiliates who post links on the Internet that drive customers to participating companies. The affiliates get paid when consumers buy something, make an inquiry or provide a sales lead.

Direct Response Technologies, a Digital River subsidiary based in Pittsburgh, Penn., sells a leading software program called DirectTrack to help companies create and manage affiliated marketing programs. Data gathered by the program gets stored on Digital River's servers, and access to it is tightly restricted with passwords and other security measures, the company says.

Since the lawsuit was filed, Porat has tried to be as forthcoming as possible without waiving his constitutional rights, said his attorney, Joseph Nierman, of Passaic, N.J. He noted that Porat participated in a deposition with the plaintiffs that lasted nearly six hours.

Madel said that while Porat has cooperated, he also invoked his Fifth Amendment right against self-incrimination "about 26 times," refusing to explain how he got the data, or from whom. "I am very reluctant to say that Mr. Porat has been forthcoming" with everything he knows, Madel said.

Porat said Thursday evening that he was too busy to talk to a reporter.

Regardless of how he got the data, the suit alleges that Porat tried to sell it for $500,000 to Media Breakaway, a Westminster, Colo.-based marketing firm, as well as to some of its competitors. Court records say that Porat had been an affiliate of Media Breakaway, collecting commissions totaling $1,600 for driving consumer traffic to the firm.

According to Media Breakaway records, they initially spurned Porat's offer. When he persisted, the company notified Digital River and helped the FBI to investigate the matter.

Madel disclosed Thursday that a federal grand jury is investigating the alleged data theft under the direction of Assistant U.S. Attorney Timothy Rank, one of the prosecutors in the trial of convicted Ponzi schemer Tom Petters.

Porat, who lives at home with his parents, claimed in e-mails and instant messages with Media Breakaway that he had consumer-tracking information from a dozen different companies, including names, e-mail addresses, websites, company names and unique user-identification numbers for 198,398 individuals. These data are valuable to companies seeking targeted marketing lists of potential customers.

Scott Richter, CEO of Media Breakaway, said in a court filing that Porat claimed to be offering the DirectTrack data to the highest bidder. He said Porat told him he got the data from a former consultant for Digital River, who captured it during an enhancement of the DirectTrack data system when security systems were taken down temporarily.

Gary Olden, vice president of product management at Digital River Marketing, said in a court filing that an internal investigation found that the stolen data was accessed Jan. 27 from four different computers linked to a DirectTrack customer in New Delhi named VCommission, or Vaxat iTech Pvt. Ltd. He said the data was downloaded using a "highly unusual" search command.

Olden said he could find only one other instance where that type of command was used to access DirectTrack data. It took place six hours after the command was issued in India, and it came from another customer, Clickbooth/IntegraClick, a marketing firm in Sarasota, Fla. In that case, though, the user only accessed Clickbooth/IntegraClick's own data, he said.

Olden said his customers and clients view data security as an important component of DirectTrack, as they have "a significant interest in ensuring that their customer lists are not made available to their competitors (let alone sold to the highest bidder)."

Explore further: TD Ameritrade data theft settlement gets court OK


Related Stories

TD Ameritrade data theft settlement gets court OK

May 11, 2009

(AP) -- More than 6 million current and former customers of online brokerage TD Ameritrade Holding Corp. will be able to benefit from the settlement of a class-action lawsuit filed over the theft of client contact information.

Verizon sues to block data theft

January 24, 2006

Verizon Tuesday boosted its fight to protect customer privacy by filing suit to block Web-site owners from obtaining information under false pretenses.

AT&T claims ownership of customer data

June 22, 2006

AT&T has been charged with violating the privacy of its customers by handing over data to the National Security Agency, a charge that it has hitherto denied.

Recommended for you

Dutch open 'world's first 3D-printed bridge'

October 17, 2017

Dutch officials toasted on Tuesday the opening of what is being called the world's first 3D-printed concrete bridge, which is primarily meant to be used by cyclists.


Adjust slider to filter visible comments by rank

Display comments: newest first

not rated yet Jun 04, 2010
Why don't they come up with a physical locking mechanism for sensitive data? I.E. use an actual physical key that you have to turn to allow access.
1 / 5 (1) Jun 04, 2010
What is a dongle?
not rated yet Jun 05, 2010
Poor overhyped article. Such minor hackery happens everywhere around the world, what the hype?

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.