Ex-IT Worker Guilty of Network Intrusion

A former Columbia Sportswear worker pleaded guilty Wednesday to intentionally accessing the company’s IT network without authorization gaining insight into business transactions and commercial and private information, federal officials said.

Michael Leeper, 41, of Tigard, OR, had been an employee of the company from May 2000 to February 2014, and became Columbia’s Director of Technical Infrastructure in 2012.

RELATED STORIES
Yahoo Attack Suspect Faces Extradition
UK Man Guilty in German Mirai Attacks
2 Iranians Face Federal Charges
Dark Web Market Shut Down

In March 2014, he resigned from his position and began working for Denali Advanced Integration, a reseller of computer hardware and software.

Before leaving Columbia, Leeper created an unauthorized account called jmanning, under the false name “Jeff Manning,” and used it to access the company’s network for over two years, officials said. The intrusion was discovered in the summer of 2016, when Columbia performed a software upgrade.

Gaining that access allowed him to gain insight into the company’s business transactions and commercial and private information, a complaint filed in March 2017 claims.

“Over approximately the next two and a half years, and without Columbia’s knowledge or consent, Leeper secretly hacked into the private company email accounts of numerous Columbia employees, and, on information and belief, into other parts of Columbia’s private computer network. He did so hundreds of times.”

“During the intrusions, Leeper illegally accessed a wide variety of confidential business information belonging to Columbia. That information included emails concerning business transactions in which Denali had a financial interest; emails concerning transactions between Columbia and Denali’s competitors; and confidential budget documents related to the IT Department’s long-range planning,” said the complaint filed in the United States District Court, District of Oregon, Portland Division.

The suit also names Denali and its parent company, 3MD Inc., for involvement in the hack. In March 2017, however, Denali denied any involvement in Leeper’s fraudulent activity and also fired him from his position as Chief Technology Officer. The company also said it was fully cooperating with investigators in this case.

Leeper could receive a maximum sentence of 10 years in prison, along with a $250,000 fine and three years of supervised release. Sentencing is scheduled for December 7.

“As a result of the Columbia Sportswear Company’s cooperation and a thorough investigation by the FBI’s Oregon Cyber Task Force, we have secured an appropriate conviction. Unauthorized computer intrusion is a serious crime, and those that unlawfully gain sensitive or proprietary information must be held accountable for their illegal conduct,” said Billy J. Williams, United States Attorney for the District of Oregon.