Digital River sues over data breach

A massive data theft from the e-commerce company Digital River Inc. has led investigators to hackers in India and a 19-year-old in New York who allegedly tried to sell the information to a Colorado marketing firm for half a million dollars.

The Eden Prairie company obtained a secret court order last month to block Eric Porat of Brooklyn from selling, destroying, altering or distributing purloined data on nearly 200,000 individuals. Digital River suspects that the information was stolen by hackers in New Delhi, India, possibly with help from a contractor working for Digital River.

Porat has said he got the information from India, but won't say how or from whom.

"I fully suspect that Mr. Porat hacked the hacker," said Christopher Madel, an attorney with Robins, Kaplan, Miller and Ciresi who's overseeing Digital River's investigation.

The matter came to light Thursday afternoon when U.S. District Judge Donovan Frank convened a public status conference in the case. The hearing was posted on the court docket without listing any of the parties involved.

A reporter attended the hearing, and Frank ordered all previously filed documents to be unsealed without objection. Frank, who co-chairs a committee on public access to the federal courts in Minnesota, said he temporarily allowed the civil case to be filed under seal -- and without notice to the defense -- so Digital River could issue subpoenas and safeguard evidence that might otherwise be destroyed or disappear.

Digital River Marketing Solutions Inc. filed the lawsuit under seal on May 13 listing Porat and his company, Affiliads, as defendants and demanding to know how they obtained Digital River's data and what they've done with it.

The data was originally gathered by companies that offer "affiliated marketing" programs, a practice in which businesses pay a commission to affiliates who post links on the Internet that drive customers to participating companies. The affiliates get paid when consumers buy something, make an inquiry or provide a sales lead.

Direct Response Technologies, a Digital River subsidiary based in Pittsburgh, sells a leading software program called DirectTrack to help companies create and manage affiliated marketing programs. Data gathered by the program gets stored on Digital River's servers, and access to it is tightly restricted with passwords and other security measures, the company says.

Since the lawsuit was filed, Porat has tried to be as forthcoming as possible without waiving his constitutional rights, said his attorney, Joseph Nierman of Passaic, N.J. He noted that Porat participated in a deposition with the plaintiffs that lasted nearly six hours.

Madel said that while Porat has cooperated, he also invoked his Fifth Amendment right against self-incrimination "about 26 times," refusing to explain how he got the data, or from whom. "I am very reluctant to say that Mr. Porat has been forthcoming" with everything he knows, Madel said.

Porat said Thursday evening that he was too busy to talk to a reporter.

Regardless of how he got the data, the suit alleges that Porat tried to sell it for $500,000 to Media Breakaway, a marketing firm based in the Denver suburb of Westminster, as well as to some of Media Breakaway's competitors. Court records say that Porat had been an affiliate of Media Breakaway, and had collected commissions totaling $1,600 for driving consumer traffic to the firm.

Firm cooperated with FBI

According to Media Breakaway records, it initially spurned Porat's offer. When he persisted, the company notified Digital River and helped the FBI to investigate the matter.

Madel disclosed Thursday that a federal grand jury is investigating the alleged data theft under the direction of Assistant U.S. Attorney Timothy Rank, one of the prosecutors in the trial of convicted Ponzi schemer Tom Petters.

Porat, who lives at home with his parents, claimed in e-mails and instant messages with Media Breakaway that he had consumer-tracking information from a dozen different companies, including names, e-mail addresses, websites, company names and unique user-identification numbers, for 198,398 individuals. This kind of information is extremely valuable to companies seeking targeted marketing lists of potential customers.

Scott Richter, CEO of Media Breakaway, said in a court filing that Porat claimed to be offering the DirectTrack data to the highest bidder. He said Porat told him that he got the data from a former consultant for Digital River, who captured it during an enhancement of the DirectTrack data system when security systems were taken down temporarily.

Gary Olden, vice president of product management at Digital River Marketing, said in a court filing that an internal investigation found that the stolen data was accessed Jan. 27 from four different computers linked to a DirectTrack customer in New Delhi named VCommission, or Vaxat iTech Pvt. Ltd. He said the data was downloaded using a "highly unusual" search command.

Olden said he could find only one other instance where that type of command was used to access DirectTrack data. It took place six hours after the command was issued in India, and it came from another customer, Clickbooth/IntegraClick, a marketing firm in Sarasota, Fla. In that case, though, the user only accessed Clickbooth/IntegraClick's own data, he said.

Olden said his customers and clients view data security as an important component of DirectTrack, as they have "a significant interest in ensuring that their customer lists are not made available to their competitors (let alone sold to the highest bidder)."

Dan Browning • 612-673-4493