author photo
By Bruce Sussman
Thu | May 28, 2020 | 5:30 AM PDT

If you've purchased life insurance, you may have decided on a policy with the help of their technology.

Compulife and NAAIP are direct competitors in a niche industry: they both generate life insurance quotes for brokers who sell insurance.

And court documents reviewed by SecureWorld reveal that one of the companies hired a hacker to get inside information and code used by the other organization.

Hacker hired to perform corporate espionage

Judge James Randal Hall, of the Eleventh Circuit U.S. Court of Appeals, explains the case this way in his recent decision:

"There's nothing easy about this case. The facts are complicated, and the governing law is tangled. At its essence, it's a case about high-tech corporate espionage.

Compulife Software, Inc., which has developed and markets a computerized mechanism for calculating, organizing, and comparing life-insurance quotes, alleges that one of its competitors lied and hacked its way into Compulife's system and stole its proprietary data."

The competitor, also the defendant in this case, is NAAIP.

"The question for us is whether the defendants crossed any legal lines—and, in particular, whether they infringed Compulife's copyright or misappropriated its trade secrets, engaged in false advertising, or violated an anti-hacking statute."

Evidence confirms hacker was hired for corporate espionage

At the core of this case is the fact that NAAIP hired a hacker to capture the computer code belonging to Compulife.

Judge Hall confirms this part of the case in his decision:

"At one point—more on this to come—the defendants also employed a hacker named Natal, who, it is undisputed, took Compulife's data for use in the defendants' software."

The documents reveal the hacker is a woman, elusive enough that those who hired her don't even know her first name.

What did the hacker do in this case of corporate hacking?

Judge Hall continues to unpack what the hired hacker did and how she sped up the timetable by using a bot:

"Compulife alleges that the defendants hired a hacker, Natal, to 'scrape' data from its server. Scraping is a technique for extracting large amounts of data from a website.

The concept is simple; a hacker requests information from a server using ordinary HTTP commands similar to those that a legitimate client program of the server might employ in the ordinary course.

Although a hacker could obtain the data manually by entering each command as a line of code and then recording the results, the true power of a scraping attack is realized by creating a robot—or 'bot,' for short—that can make many requests automatically and much more rapidly than any human could.

A bot can request a huge amount of data from the target's server—technically one query at a time, but several queries per second—and then instantaneously record the returned information in an electronic database. By formulating queries in an orderly fashion and recording the resulting information, the bot can create a copy—or at least a partial copy—of a database underlying a website.

Natal used this scraping technique to create a partial copy of Compulife's Transformative Database, extracting all the insurance-quote data pertaining to two zip codes—one in New York and another in Florida.

That means the bot requested and saved all premium estimates for every possible combination of demographic data within those two zip codes, totaling more than 43 million quotes.

Doing so naturally required hundreds of thousands of queries and would have required thousands of man-hours if performed by humans—but it took the bot only four days."

Four days of scraping and NAAIP was able to run quotes based on Compulife's code. That's one way to level the competitive playing field.

Amazingly, after all this, the original judge in the case said Compulife failed to prove its competitor had violated any laws.

That's where the Eleventh Circuit Court of Appeals comes in.

Was hacking a competitor a crime?

The lower court ruled there was no crime. 

The Eleventh Circuit Court of Appeals disagreed and overturned much of the lower court's decision, and is sending it back for a second look at the evidence and issues.

Judge Hall, writing on behalf of the Appeals court, sums it up like this: 

"The magistrate judge's failure to look more closely at the texts of the two codes is particularly concerning given the similarities apparent on their faces. 

Even a cursory comparison of the two segments suggests that the defendants' work copied material from nearly every page of the copyrighted work. The defendants' code includes nine of the eleven basic sections of Compulife's code, arranged in almost exactly the same order.

If the scraping attack constituted 'improper means'—a question that the magistrate judge also failed to address—it would be difficult to escape the conclusion that the defendants either (1) used a trade secret of which they had improperly acquired knowledge or (2) used a trade secret of which they had acquired knowledge from a person whom they knew or had reason to know had improperly acquired the knowledge."

In other words, the litigation in this case appears far from over. But what we already know reveals something disappointing.

Competition is now driving some organizations to hire hackers as part of their strategy to win.

Read the Appeals Court decision in the Compulife Software case for details on all of the lingering legal questions. 

Cybersecurity podcast

It is not about life insurance, but instead, our recent podcast episode is about how cyber insurance can drive an incident response plan off track or help make it a success. Listen here, or on any podcast app:

Tags: Hackers, Cyber Law,
Comments