Hacked server leads Ontario court to dismiss case

A Superior Court judge has dismissed a lawsuit after the plaintiff hacked into the defendant’s computer server while legal proceedings were taking place.

The plaintiff secretly and surreptitiously accessed and downloaded the entire contents of the defendant’s server, including privileged communications between the defendant and his solicitors, as well as data unrelated to the lawsuit.

The plaintiff, Autosurvey Inc., asserted it was acting within its rights to obtain recovery of property, which it claimed had been taken from it. But this didn’t entitle it to take matters into its own hands, according to the judge’s ruling.

“(We) couldn’t really find any precedent, so this may be the first case of its kind, where the judge has said you can’t go ahead because of your conduct,” said David E. Fine, lawyer for the defendant with Gardiner Roberts LLP in Toronto.

Fine and James R.G. Cook, also a lawyer for the defendant, were retained by Prevost, the defendant, on May 6, 2005. The original date for the hearing was scheduled for May 13, and during this time, the plaintiff prepared a number of further affidavits in addition to the one that had originally been served.

“One of these affidavits indicated they had found out that our guy had taken confidential proprietary information off of their server, but they didn’t explain exactly what they had done to find this out,” said Cook. “As it turned out – and we only found this out 20 days later – they had hacked into our guy’s server using (what) they called a ‘shot in the dark’ password.”

On May 10, the plaintiff made a number of attempts to access the defendant’s server in New Jersey and, once inside, spent about three hours there. The plaintiff’s lawyer, from the Davis Webb firm, then advised the plaintiff to “secure its property, preserve the evidence and note the contents.” On May 11, the plaintiff not only hacked into the defendant’s server again, but also made a complete copy of it and then deleted the logs so there would be no record of the plaintiff having been there.

This made the plaintiff’s lawyer complicit, even if not an active participant in the inappropriate conduct of his client, according to the judge’s ruling.

“One of the remedies (the plaintiff was) seeking is called an Anton Piller order, which is a civil search warrant,” said Fine. “They were in effect giving themselves this self-help remedy without waiting to go to court.”

The incident was discovered when the plaintiff submitted a DVD – with the materials hacked from the defendant’s server – as evidence in the lawsuit. On May 31, the defendant’s lawyers received a fourth affidavit, which enclosed as an exhibit the DVD. In marker was written: “full server backup, May 11, 2005.”

“The judge stayed their action without even hearing the merits on the basis of a combination of Autosurvey’s ‘brute force entry’ and the complicity of their lawyer in the matter,” said Cook.

According to court documents, the judge was dismayed to hear the plaintiff’s lawyer had some involvement in the decision to download the defendant’s documents and did not immediately notify the defendant, his lawyer or the court.

While the defendant was a former employee of the plaintiff, he was also a Web administrator for a number of other businesses that had their Web sites on his server. After discovering his server had been hacked into, the defendant then had to contact his clients and tell them their data had been compromised.

“Accessing someone’s computer in an unauthorized fashion is a Criminal Code violation for starters,” said Sunny Handa, a partner with the Montreal office of Blake, Cassels & Graydon LLP. Handa is also co-head of the firm’s national Information Technology Group. “Number two, there’s copyright infringement for downloading all of the materials. You could argue fair dealings because you were doing it for research purposes to build your case, but nonetheless the potential is there for a copyright claim.”

There’s probably a privacy issue buried in there as well, he said, since the plaintiff was communicating personal information without consent of the actual people involved.

“The judge at that point can’t rely on the evidence anymore,” said Handa. “If the plaintiff’s going to do that, God knows what else the plaintiff is possibly doing with the evidence.”

There is a court-sanctioned process for “discovery” and getting access to documents, he said. “If the court had allowed the evidence, one can only imagine plaintiffs all over the place hacking into defendants’ computers trying to find things out.”

Comment: [email protected]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Vawn Himmelsbach
Vawn Himmelsbach
Is a Toronto-based journalist and regular contributor to IT World Canada's publications.

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.