You're Only As Good As Your Password

Outsiders penetrated Niku Corp.'s Web site to steal data--and it can happen to anyone

Warren Leggett had just spent the long July 4 weekend golfing with his brother-in-law near Portland, Ore. Early the following Monday morning, his relaxing holiday ended abruptly. The chief information officer of Niku Corp. (NIKU ), a small Silicon Valley software company, found himself plunged into a shocking case of alleged corporate espionage--one that raises troubling questions about the security of company information in the Internet Age.

It all started when Leggett's brother-in-law, Jay Berlin, a mid-level tech manager at Nike Corp. (NKE ), agreed to view a demonstration on July 8 of Niku's software, which helps companies collaborate on big projects over the Web. The morning of the meeting at Nike's suburban Beaverton offices, Berlin checked his voicemail--which included a message from a salesperson at Niku archrival Business Engine Software Corp. That's odd, he told Leggett. He didn't even know the firm, and he wouldn't be the one to buy such software anyway. How did they know to call him?

Struck by the coincidence, Leggett says, he dug into Niku's Web access logs the next morning and discovered that someone using Internet addresses owned by Business Engine had used Niku passwords to sneak into Niku's network more than 6,000 times, downloading some 1,000 documents--including one that Leggett wrote about the planned demo for Berlin. The allegations are outlined in a lawsuit filed on Aug. 12 in U.S. District Court in San Francisco. "We never, ever assumed something like this could be going on," says Niku Chief Executive Farzad Dibachi. In a written statement, Business Engine said it's cooperating with an FBI investigation and does not yet know all the facts around the case.

The alleged high-tech pillaging highlights a vexing problem in today's networked corporations: gaping holes in computer security. Passwords, which can be easily guessed or tricked out of employees, are becoming the Achilles heel of computer security. On Aug. 14, for example, an associate dean at Princeton University was removed from his post after admitting he used easily guessed passwords to access a student admissions site set up by Yale University. Indeed, an April survey of 500 corporations by the Computer Security Institute found that 80% of them had been broken into, resulting in combined losses of $455 million. And there are no easy solutions. "For all intents, when they are using that password, they are inside that network," says Dorothy Denning, a computer science professor at Georgetown University.

Now the feds are involved. On Aug. 8, at least 2 dozen FBI agents raided Business Engine's offices. FBI officials won't comment. Five days later, a federal judge issued a temporary restraining order against Business Engine and ordered it to ask its business partners and customers to return any proprietary Niku information it may have given them. In an Aug. 20 statement, Business Engine said it asked Niku to work with an "independent third-party mediator" to help resolve the case. Niku execs said that, as of press time, they had not received that request.

The Niku lawsuit doesn't specify damages. Company officials claim that using that stolen information, Business Engine was able to become a last-second competitor on several major deals, including a project at Lloyds of London, according to court documents.

The loss of big deals couldn't have come at a worse time for Niku, which is struggling with the tech downturn. The still-unprofitable Redwood City (Calif.) company has reduced its staff from 1,100 a year ago to 300 today. In the quarter ended in July, its sales fell 38%, to $10.5 million, from the year before.

The stolen Niku files, the company contends in the lawsuit, were the crown jewels of the software company, including upcoming features, lists of potential customers, pricing, and customizations for clients. The downloaded items also included one file mentioning that Leggett planned to show Niku's software to a project manager from Nike. That file, the only place an invader could have learned of the Nike meeting, didn't mention they were related.

That was strange enough, but Leggett says he kept digging and found more. He was stunned to find that someone outside the company used 15 internal passwords over and over again. The invasions had occurred since last October. "It was sheer coincidence," says Dibachi. "Otherwise, who knows how long this would have gone on?"

Even now, officials aren't quite sure how the passwords fell into the wrong hands. It could be weeks or months before Niku and the FBI figure that out. But for the rest of industry, Niku's experience is a warning call: The nearly $3.6 billion being spent worldwide on computer security clearly isn't enough.

By Jim Kerstetter in San Mateo, Calif.

    Before it's here, it's on the Bloomberg Terminal.