A former employee of Columbia Sportswear pleaded guilty on Wednesday to intentionally accessing the Columbia Sportswear IT network without authorization.
Michael Leeper of Tigard, Oregon had been an employee of the company from May 2000 to February 2014, and became Columbia’s Director of Technical Infrastructure in 2012. In March 2014, he resigned from his position and began working for Denali Advanced Integration, a reseller of computer hardware and software.
Before leaving Columbia, Leeper created an unauthorized account called jmanning, under the false name “Jeff Manning,” and allegedly used it to access the company’s network for over two years. The intrusion was discovered in the summer of 2016, when Columbia performed a software upgrade.
The fraudulent activity provided him with insight into the company’s business transactions and commercial and private information, a complaint filed in March 2017 claims.
“Over approximately the next two and a half years, and without Columbia’s knowledge or consent, Leeper secretly hacked into the private company email accounts of numerous Columbia employees, and, on information and belief, into other parts of Columbia’s private computer network. He did so hundreds of times.”
“During the intrusions, Leeper illegally accessed a wide variety of confidential business information belonging to Columbia. That information included emails concerning business transactions in which Denali had a financial interest; emails concerning transactions between Columbia and Denali’s competitors; and confidential budget documents related to the IT Department’s long-range planning,” the complaint reads (PDF).
The suit also names Denali and its parent company, 3MD Inc., for involvement in the hack. In March 2017, however, Denali denied any involvement in Leeper’s fraudulent activity and also fired him from his position as Chief Technology Officer. The company also said it was fully cooperating with investigators in this case.
On Wednesday, the company issued another statement, reiterating that it played no role in Leeper’s misconduct, while also saying that the investigation of Leeper and Denali by the FBI and the Department of Justice brought no charges against the company.
“As the criminal charge and plea confirms, Denali played no role in – nor benefited from – Leeper’s misconduct. The company takes pride in its integrity. It does not condone unfair business practices, and will not tolerate illegal conduct,” Denali said.
41-year-old Leeper could receive a maximum sentence of 10 years in prison, along with a $250,000 fine and three years of supervised release. Sentencing is scheduled for December 7, 2017.
“As a result of the Columbia Sportswear Company’s cooperation and a thorough investigation by the FBI’s Oregon Cyber Task Force, we have secured an appropriate conviction. Unauthorized computer intrusion is a serious crime, and those that unlawfully gain sensitive or proprietary information must be held accountable for their illegal conduct,” Billy J. Williams, United States Attorney for the District of Oregon, said.
Related: ICS Networks Not Immune To Insider Threats