Cyber-Attack Leads to Cat Fight in Court

BoxIt, LLC, owner of KitNipBox, a monthly service that provides goodies for cats, has sued competitor Meowbox in Federal Court in the wake of a cyberattack. In its complaint BoxIt alleges that Meowbox, and its employees, Francois Deschenes and Olivia Canlas (also named as individual defendants),

Illegally hacked into KitNipBox’s website in order to gain confidential information and trade secrets belonging to KitNipBox while at the same time attempting to disrupt KitNipBox’s servers, email deliverability, and reputation.

The cyberattack was clearly malicious, and well planned.

According to the complaint, Deschenes, Meowbox’s Chief Technical Officer, unleashed a malicious script on the night of March 14, 2016, that added over 8,000 emails to KitNipBox’s database. This accomplished several things:

1. It was a “Denial of Service” attack — flooding KitNipBox’s server with so many requests, it would cause legitimate customers to be unable to get through.
2. The script was set up in a way that it would cause automated responses to be issued from KitNipBox’s server, allowing MeowBox to identify customer’s in KitNipBox’s database for purchases of poaching customers.
3. The thousands of emails sent by the KitNipBox server is a response to the malicious script, which resulted in KitNipBox’s spam rate going way up — meaning it was likelier that KitNipBox’s own legitimate emails would end up in customer’s spam or junk mail folders.

BoxIt hired a digital security firm and traced the attack to Deschenes.

At the heart of the lawsuit is whether or not Meowbox’s actions were a violation of the Computer Fraud and Abuse Act (CFAA). MeowBbx has tacitly admitted they unleashed the malicious script, but denied it was a violation of the CFAA.

CFAA

The CFAA is a 1986 amendment to the Counterfeit Access Device and Abuse Act of 1984. Among other things, the CFAA states that anyone who

knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; has committed a crime.

MeowBox’s lawyer claimed that “running a script on a public website” is not a violation of the CFAA. KitNipBox’s complaint says this is “incorrect as a matter of law.”

It’ll be up to the court to decide, but it seems quite a stretch for Meowbox to claim that what they did was not a violation of the CFAA. To the contrary, it would seem to be exactly the sort of behavior the CFAA was intended to stop!

Takeaways

Unscrupulous competitors may be willing to break the law in order to hurt your business.

Since there are bad players out there, it’s important to protect your servers with good security including anti-virus and anti-malware software. In the event you’re harmed by an attack — and can figure out who the attacker was — the CFAA allows you to collect civil damages from the assailants. In addition, the CFAA provides for criminal penalties for certain type of destructive behavior.

(Photo Credit: “DSC_6424” by yoppy is licensed under CC BY-SA 2.0.)