A Canadian who calls himself the owner of a used-computer dealership in Calgary (one that apparently doesn’t have a website) says he’s sitting on a pile of data for Ernst & Young’s customers, stored on servers he bought in 2006.
As of last week, Mark Morris was sort of, well, holding that data ransom, more or less, until the global consultancy ponied up for its return.
He was originally thinking of a $50,000 retainer – and that’s just to begin deleting backups of the purported data, which he’s believed to have stored on various devices, not the data on the primary server.
But as Network World reports, nobody’s even sure whether the breach is real or just the figment of Morris’s imagination.
According to court documents, Morris claims that he found a treasure trove of business data associated with Ernst & Young’s clients, mostly left on one of two servers he picked up for $300 after Ernst & Young bought the firm he was working for as an independent contractor, Synergy Partners, in 2003.
Morris reportedly informed the Canadian privacy commission about the breach.
He said that when he first contacted Ernst & Young in March 2014, the company “just demanded I give them the server back.”
Network World quotes his response:
I told [Ernst & Young] I do not work for free.
He subsequently contacted the site DataBreaches.net, reportedly telling them that the server’s holding data on…
...hundreds of companies' financials, nondisclosure agreements, confidentiality agreements, personnel files for their employees with social insurance numbers, applicants' resumes with social insurance numbers.
Well, if it’s true, then ouch.
But Morris declined to supply any proof, such as screenshots, claiming to prefer to rely on what’s already publicly available in court documents.
Also, one would assume (and hope) that if the breach is in fact real, sending out screenshots of such information willy-nilly would get him in a whole other world of legal hurt.
The “court documents” bit comes in because, understandably, Ernst & Young took up the matter with the Calgary court.
In those filings, Ernst & Young says it doesn’t know if Morris’s claims are genuine, Network World reports, but if there really is customer data on the servers, it wants it to go away – either via deletion or by having Morris give it back.
If there really are data stores floating around, Morris shopped them around for some tidy sums.
According to court documents, Morris contacted a former Ernst & Young partner in June and told him that a law firm, a data company and an M&A advisory firm were interested in acquiring the alleged data, with bids for it supposedly reaching $1.2 million.
How in the world could Morris’s alleged actions be legal?
Ernst & Young can’t take any chances.
A Calgary court ordered Morris to provide the firm’s legal counsel with copies of the alleged data, plus the primary server’s serial number by yesterday, 15 September.
That means that by now, Ernst & Young should know whether there was, in fact, a data breach caused by the failure of the company to scrub its equipment before selling it.
By 30 September, Morris is required to give access to the servers and devices to Ernst & Young’s inspectors.
He told Network World in a phone call last week that he intended to comply with the order and that he was expecting the meeting to take place in his warehouse.
But time is money, and Morris claims Ernst & Young agreed, via e-mail, to pay him $1,500 per day to cooperate with the data inspection.
Morris said that there’s a lot of data to go through, so he expected it would take a while.
Image of broken lock courtesy of Shutterstock.
28 comments on “Man buys old servers, accuses Ernst & Young of data breach”
Give Access to the inspectors?? This means that the judge is not being imparcial since giving access to the data for the E&Y is allowing them to delete everything. Such dumb
Actually it says in the article he has already backed up the data to a few different places so even if the inspectors verify and try to delete the data it means nothing as he has copies:
“He was originally thinking of a $50,000 retainer – and that’s just to begin deleting backups of the purported data, which he’s believed to have stored on various devices, not the data on the primary server.”
Oops my bad you are right he has to give access to all of it. But if he has dumped in a ton of places he could drag it out for days with $1500 per day fee that could add up to a lot.
gads, just sell them the servers back for ike 5k. Everybodys happy.
Time and time again, companies fail to do what is right when disposing of old hardware. Company after company just throws it out without verifing that data has been removed. Then they blame everyone but themselves for this failure. I read somewhere that about 70% of the companies are guilty of this practice, but I do not know if this is really accurate. While I don’t approve of what the person did, it does not suprise me much.
I can tell you at my work, we do a 7 pass D.O.D compliant wipe of every hard drive if we sell the equipment. If we are recycling the equipment, we zero out the drive then put holes through it. The government would not want to have a data breach.
sounds to me like this guy facilitated the breach himself somehow. he knew the data was there…these old servers were offline at the company he worked for or something….hes not being completely honest about how/where he got the servers, or why he bought them, or something…..its veeeeery fishy…especially because he is being such a tool about demanding money for every little thing…this guy is a creep for sure.
This is ransom. On the other hand, he is entitled to a sensible amount of money to pay for nuking the data (which can take up to 24 hours per machine depending on the algorithm used and the number of times the disk is overwritten). Swapping out the disks with new ones might be unadvisable since the disks may be matched to the 2006-dated servers. And if Ernst & Young wants to look at the data he now has then, yes, he should be handsomely paid for babysitting them in his warehouse when he could be out making money.
Or 24 minutes with a drill / angle grinder…
Sort of a tool, if you ask me. I’d think that once something like this goes to court, the court will just force E&Y to pay back to Morris what he paid for the equipment and recompense for legal fees and time spent with this, since it’s really a breakdown of E&Y’s process and I’m reasonably sure they didn’t intend to sell that data.
I wonder if Morris was an independent contractor with involvement in the decommissioning of equipment and part of his duty might have been to wipe this data. In which case, he could maybe be in some trouble if he did this maliciously.
Entertaining, if nothing else. 🙂
I feel like there’s some scamming going on here…
“He was originally thinking of a $50,000 retainer – and that’s just to begin deleting backups of the purported data…”
So, how is this guy any different from any of the people running ransomware networks around the world?
With ransomware you are paying not to have your data deleted 🙂 Here, if you don’t pay, the data stays…
…in his possession. My point was that he’s still demanding money for this data which in my opinion makes him no better… but thanks for the literal explanation.
Ah, I was just making a sort of joke…it does sound rather ransomy, doesn’t it. “Pay up or you WILL see your data again” 🙂
He should have made a low key approach to the NSA to “appraise” the data’s worth and then cut a deal with them. The NSA has historically avoided courts or any other public venue.
Divisive issue, this. Enrst & Young are meant to be SUBJECT MATTER EXPERTS in this area.
My honest view is that as long as he *doesn’t* try to directly monetise the data himself through other third parties, as suggested – which would be straight-up illegal IMHO – he’s perfectly entitled to say (to a huge commercial entity like E&Y) that they should pay for every step of this remediation process. Financial “penalties” are the best means of redress available.
If he was involved in arranging to possess the data, rather than stumbling across it, that’s very different again. Still, you’ll have to go a very, very long way indeed to convince me that E&Y are the injured party here, rather than the injurer.
Good luck lecturing companies on secure disposal practices now, E&Y – and explaining the lapse to regulators!
I used to work for the company that E&Y used for some of this management. It was before 2006, but I know they had some pretty good controls around the hardware disposal process even then.
What seems likely happened was that E&Y contracted with a company to dispose of the e-waste properly, and that contractor hired didn’t do the job properly.
Outsourcing disposals has become really popular because the money saved can be enormous. But, trusting that outsourcer can cause problems.
Interesting order of events:
1) The guy worked for Synergy Partners prior to 2003
2) in 2003, E&Y bought Synergy, No mention of whether he was still working for Synergy/E&Y at that time, or whether in his job there he would know what was stored on those specific servers.
3) In 2006 this guy bought Synergy’s servers (presumably after they moved over to E&Y’s systems). No mention of whether he was still working for E&Y at that time.
4) *9* years later, the guy goes public with information he purports is on those servers, that belonged to Synergy before E&Y took over and decommissioned them. This is Synergy data from 2003 and earlier — 11+ years ago.
This raises a number of important questions, including what his relationship to that data had been prior to 2006, how he acquired the servers, when he stopped working for Synergy/E&Y, WHY he stopped working for E&Y, WHEN he discovered what was on the servers, and why he notified interested parties about 11+ year old data 9 years after the data breach occurred.
I can think of scenarios where what he did is completely legitimate, and I can think of scenarios where it was done intentionally to a variety of degrees with a variety of motives. The $50,000 consulting fee leads me to suspect he was downsized as part of the buyout, but that’s unsubstantiated speculation.
So: what is the appropriate thing to do if you realize you’re a private individual in posession of a large cache of data that belongs to someone else/some corporation?
I do like that question. Do you profit from it? Do you delete it quietly? Do you feel you need to let the company know so they can close a possibly unknown deficiency? Do you let them know publicly to make sure everyone knows what happened and maybe pressure the company to look into it for sure…?
Good ethics questions. 🙂
You sell it back to E&Y at top dollar and you report it to the SEC. Quietly disposing of the data will do nothing to prevent future breaches. Big money payouts and corporate embarassment is the only thing that gets these company’s attention and results in real changes. Anything less would only get you lip service.
As the IT dude at a large medical facility it is my responsability the make 100% sure no data is left on the old servers. I don’t have fancy programs that overwrite 15 different ways I have a torx head screw driver and a drill we strip the hard drive out and and recycle the magnets, disks, aluminium, copper, titanium and any other metals that can be extracted. I hit the platens once they are out of the hard drive unit with a hammer and i can guarantee that you will never retrieve any data from that disk again. why would you want to recycle and old disk? the older the disk the higher the risk.
You know you can pay to get them properly crushed?
Tip #271 for computer security life skills: Befriend someone who owns a blast furnace.
One can also get them shredded. There are industrial shredding machines that can shred even a hard disk. Depending on security ramifications, this is sometimes a good idea (banks, hospitals, etc.)
For REALLY secure data, there are companies which drive out a truck that has a shredder on it, and they shred them while you watch. Of course, such things cost more, but for some data it’s required.
Degauss first and then crush. Shredding alone (in theory) is not good enough. There have been studies where 1″ of disk could contain up to 300 documents which could still be retrieved if someone was intent on doing so.
They deserve it as they left it on the servers.