Man buys old servers, accuses Ernst & Young of data breach

Broken lock. Image courtesy of Shutterstock

Ernst & YoungA Canadian who calls himself the owner of a used-computer dealership in Calgary (one that apparently doesn’t have a website) says he’s sitting on a pile of data for Ernst & Young’s customers, stored on servers he bought in 2006.

As of last week, Mark Morris was sort of, well, holding that data ransom, more or less, until the global consultancy ponied up for its return.

He was originally thinking of a $50,000 retainer – and that’s just to begin deleting backups of the purported data, which he’s believed to have stored on various devices, not the data on the primary server.

But as Network World reports, nobody’s even sure whether the breach is real or just the figment of Morris’s imagination.

According to court documents, Morris claims that he found a treasure trove of business data associated with Ernst & Young’s clients, mostly left on one of two servers he picked up for $300 after Ernst & Young bought the firm he was working for as an independent contractor, Synergy Partners, in 2003.

Morris reportedly informed the Canadian privacy commission about the breach.

He said that when he first contacted Ernst & Young in March 2014, the company “just demanded I give them the server back.”

Network World quotes his response:

I told [Ernst & Young] I do not work for free.

He subsequently contacted the site, reportedly telling them that the server’s holding data on…

...hundreds of companies' financials, nondisclosure agreements, confidentiality agreements, personnel files for their employees with social insurance numbers, applicants' resumes with social insurance numbers.

Well, if it’s true, then ouch.

But Morris declined to supply any proof, such as screenshots, claiming to prefer to rely on what’s already publicly available in court documents.

Also, one would assume (and hope) that if the breach is in fact real, sending out screenshots of such information willy-nilly would get him in a whole other world of legal hurt.

The “court documents” bit comes in because, understandably, Ernst & Young took up the matter with the Calgary court.

In those filings, Ernst & Young says it doesn’t know if Morris’s claims are genuine, Network World reports, but if there really is customer data on the servers, it wants it to go away – either via deletion or by having Morris give it back.

If there really are data stores floating around, Morris shopped them around for some tidy sums.

According to court documents, Morris contacted a former Ernst & Young partner in June and told him that a law firm, a data company and an M&A advisory firm were interested in acquiring the alleged data, with bids for it supposedly reaching $1.2 million.


How in the world could Morris’s alleged actions be legal?

Ernst & Young can’t take any chances.

A Calgary court ordered Morris to provide the firm’s legal counsel with copies of the alleged data, plus the primary server’s serial number by yesterday, 15 September.

Broken lock. Image courtesy of ShutterstockThat means that by now, Ernst & Young should know whether there was, in fact, a data breach caused by the failure of the company to scrub its equipment before selling it.

By 30 September, Morris is required to give access to the servers and devices to Ernst & Young’s inspectors.

He told Network World in a phone call last week that he intended to comply with the order and that he was expecting the meeting to take place in his warehouse.

But time is money, and Morris claims Ernst & Young agreed, via e-mail, to pay him $1,500 per day to cooperate with the data inspection.

Morris said that there’s a lot of data to go through, so he expected it would take a while.

Image of broken lock courtesy of Shutterstock.