An irreverent Wall Street Blog

Oil Industry Website Hacker Sentenced To Prison

October 10, 2017

This is an UPDATE of "UPDATE: Hacking (Not Fracking) Gives Oil Industry Website Developer Gas Pains" (BrokeAndBroker.com Blog, December 20, 2016))

Nary a day goes by when we don't read about someone hacking into something. Frankly, we've grown a bit blase' about such things. A recent criminal Complaint, however, provides us with a fascinating details about the detective work involved in uncovering clues and ferreting out the mastermind behind allegedly unauthorized online access. At issue is the creation of an oil and gas industry website and the sale of that site for $51 million. Then the same guy who created that first site, builds another website eerily similar to the one that he had sold, and . . . well, here's where it gets interesting: The online entrepreneur attempts to sell the second site to the same folks who bought the first one from him. What makes that fact pattern illegal, you might ask. What's wrong with staying with a formula that already worked? Okay, maybe that's going to be the defendant's defense.

Case In Point

On March 30, 2016, the United States Attorney for the Southern District of New York ("SDNY") announced that it had unsealed a Complaint against David W. Kent, 40, Spring TX, alleging one count of Conspiracy and one count of Wire Fraud.United States of America v. David W. Kent, Defendant (Complaint, 16-MAG-1906, SDNY, March 23, 2016).

By way of background, the Complaint alleges that in 2000, Defendant Kent founded a website, which, in part, offered oil and gas industry professionals the ability to network by posting resumes and other personal/professional information. After opening a website account, a user logged on via username and password. Kent realized income from this website through the sale of advertising and fees from recruiters and employers who were looking for job applicants.

Payday

Apparently, Kent was on to something because by August 2010, a publicly-traded New York City-based company paid him $51 million for the website. The Complaint asserts that at the time of the sale, the member database was worth about $6 million. Thereafter, as more fully explained in the Complaint:

17. On or about August 9, 2010, DAVID W. KENT, the defendant, entered into an employment agreement with Company-1 (the "Employment Agreement"), agreeing to continue to serve as President of Website-1 after the acquisition. As part of the Employment Agreement, KENT agreed to not participate in any business that competes with Website-1 while employed by Company-1. KENT also agreed to refrain from competing with Company-1 if he left Company-1, until the expiration of the latter of three years after the signing of the Employment Agreement, or two years after leaving the employ of Company-1 (the "Non-Compete Period.")

18. In or around September 2011, DAVID W. KENT, the defendant, left Website-1. In or about October 2013, shortly after the earliest possible expiration of the Non-Compete Period, DAVID W. KENT, the defendant, announced that he had founded Oilpro.com ("Oilpro"), which also provides networking service to professionals working in the oil and gas industry. Oilpro is headquartered in Houston, Texas.

Moving On

After about a year of service, as President of the online business, Kent resigned in September 2011. Okay, so far, so good: Kent made a chunk of change, he served in a executive capacity during the first year of transition of his former website to new owners, and, for whatever reason, he moved on and founded a new biz. Maybe you caught the name of the new biz? Oilpro.com. Yeah, you're right, Kent launched another online networking venture servicing oil industry professionals.

Hacking

Starting around October 2013, Kent allegedly accessed his former website's member database without the authorization or permission of the new owners. According to the Complaint, once Kent gained access to the website database, he stole information, among which were the identities and profiles of some 700,000 customer accounts. On top of this digital breaking-and-entering, one of Kent's Oilpro employees (referenced in the Complaint as an unnamed co-conspirator), seems to have hacked into the old website's Google Analytics account and forwarded the data to Kent.

You Are Invited To Join

What did Kent do with the allegedly purloined information? The Complaint charges that he sent invitations to all the members of his former website to join Oilpro.com. Then there's another quirky twist: In April 2014, Kent contacts the Chief Executive Officer of the company that had purchased his former website and floated a story about how Oilpro had received an unsolicited offer of investment. Using that premise, Kent allegedly explained to the CEO that his "original mission" in setting up Oilpro was to build another site that the CEO's company might acquire.

Let's Make a Deal

After more than a year of communications about the possible sale of Oilpro to the company that had acquired the first website, Kent and the CEO, Chief Financial Officer, and General Counsel of the acquiring company teleconferenced to discuss the proposed acquisition of Oilpro. Kent represented that Oilpro had increased its membership through purportedly legal, standard marketing.

The Gumshoes At Work

One often wonders, when reading about such alleged fraud and hacking, how the purported bad guys got busted - how were they found out? In a rare instance, we sort of have the answer, even if only for this case. Paragraph 23 of the Complaint explains, in part, that:

a. On or about February 26, 2014, an individual who had created a member profile with Website-1 ("Member-1") contacted Website-1's customer support line. Member-1 stated, in sum and substance, that Member-1 had received an email solicitation from Oilpro to use Oilpro's services even though Member-1 had never provided any information in the past to Oilpro.

b. An internal review of Website-1's computer systems revealed no evidence that any employee of Oilpro had viewed Member-1's profile using an account created through Website-1.

c. To determine if the Members Database was being accessed improperly, employees of Company-1 created two fictitious member accounts and populated them with names and email addresses that were only available through Website-1's Members Database.

As further explained in the Complaint, on April 14, 2014, the fictitious member accounts received an email from an Oilpro employee soliciting a membership on Oilpro. In tracking down how the Oilpro employee obtained the contact information, it was discovered that on October 17, 2013, about 100,000 HTTP requests were submitted to the Member Database through the use of what was identified as a Get Resume Command, which was crafted to exploit a piece of source code unique to Website-1 and known only to a few individuals, including Kent. This was but the first round of identified hacking.

If convicted, Defendant Kent faced a maximum of 5 years in prison (Conspiracy) and 20 years in prison (Wire Fraud).

Bill Singer's Comment

I urge you to read the Complaint for the detailed explanation about how the investigation proceeded. It's a fascinating bit of detective work and an eye-opener as to how clues are found and used. By way of spoiler alert, the trail that eventually led to Kent went from the HTTP requests to a computer's Internet Protocol address to a United Kingdom company that was in the business of hiding a user's actual IP address to one of Kent's social media accounts and to an email address of Kent's that was used to pay the United Kingdom firm.

UPDATE December 2016

On December 19, 2016, Kent pled guilty to one count of intentionally accessing a protected computer without authorization as charged in a Superseding Information.  Kent faced a maximum penalty of five years in prison.


UPDATE October 6, 2017

On October 6, 2017, Kent was sentenced to one year and one day in prison for intentionally accessing a protected computer without authorization and three years of supervised release.

Permalink

Search BrokeAndBroker

Related Topics

Previous Entries

No Headlines Found

Tag Cloud

Bill Singer BrokeAndBroker FINRA Arbitration AWC SEC BrokerAndBroker Expungement Guest Blog Guest Blogger Aegis Frumento OBA Wells Fargo U5 BrokeAndBroker CRD InSecurities OHO Email Morgan Stanley Defamation U4 NAC ALJ Merrill Lynch BrokerCheck PST Supervision Whistleblower Statutory Disqualification Securities Industry Commentator Rule 3270 Suitability DOJ SDNY Promissory Note Rule 2080 Elderly Rule 2010 Willful WSP OIP Form U4 Wire Fraud Pro Se Rule 8210 EFL UBS Expenses RIA Form U5 Dodd Frank Stephen Kohn Business Expenses TRO Discretion Rule 1122 Bar Willfulness IRS Bank JP Morgan Fraud Discovery Wife Trump Ameriprise Husband NASD Bill SInger FAA Rule 3240 Borrowing Small Firm Conversion Supreme Court Rule 3280 Crypto Edward Jones Margin Wrongful Termination IRA Raymond James CCO Insurance 2Cir Estate Frumento Corrective Action Statement Outside Business Activities Stay Rule 12206 Mail Fraud Schwab arbitration Punitive Damages Tax LPL Promissory Notes Customer Bankruptcy Beneficiary Explained Decision TD Ameritrade Felony COVID Remand Citigroup Motion to Dismiss Options BrokeAndBroker.com Commissions Settlement Trust Case In Point OWB Injunction CFTC ACQ Board DCCir Rule 4511 OTR Initial Decision Retaliation Blockchain Sanctions Rule 3040 Tax Liens Ponzi Rule 2510 Wall Street Motion to Vacate Burris Due Diligence Forgery Spouses 9Cir Rule 4530 Discrimination Jurisdiction Eligibility Rule Unauthorized Discretion Reg SP Personal Expenses Unsuitability Offer of Settlement Rule 12200 Solicitation Outside Business Activity FBI Mandatory Arbitration SRO Insider Trading Bank of America Rule 3010 Compliance Failure to Supervise Checks NYSE Barclays Annuities Manifest Disregard ETF CRS Goldman Sachs Private Securities Transaction Divorce Disgorgement Loan Dissent FINRA Board Rule 3110 10Cir Class Action Cease And Desist PCAOB Fiduciary Conspiracy email Trustee Board of Governors Impersonation Power of Attorney Reimbursement Rule 9552 Credit Card IAR expungement VA Broker Protocol Unfair Competition Spoofing Spouse Cryptocurrency Customer Complaint Liens AML Zipper Emails Annuity Away Account T&P Tax Lien JPMorgan Complaint Indemnification Retirement Wey Disclosure Lucia SDFL Kokesh Due Process POA BD Breach of Contract Appeal MC-400 4Cir Lien Bitcoin Rule 12904 Willfully Coronavirus Public Interest Unauthorized Trading Postponement Racism BOP Severance REIT 3Cir Indictment Elder Abuse Securities Fraud Vacatur Fees Antitrust HFT Brummer Exhaustion of Administrative Remedies Dakota Securities Rule 12805 CMA Net Capital Test Motion to Confirm Rule 2111 Signature Covid Hilton Weiner Whistleblowers Wire Rule 3050 WSPs insecurities guest blogger guest blog aegis frumento Rule 2150 Employment Sexism Whistleblowing Statute of Limitations Marijuana PNC RR Suspension Gensler NASDAQ Deceased Widow Private Securities Transactions Examination Bureau of Prisons Money Laundering OIG BrokeAndBroker.com Blog Robinhood Stifel Nicolaus Sanction Guidelines Deutsche Bank PIABA Loans Bonus Rule 2081 Apple Stifel Signatures DNJ Non Solicitation Audit Will DOL Puts Bonds Leggett Puerto Rico Rule 13200 Preliminary Injunction Confidential Information Enforcement 11Cir Botkin Rule 4513 Misdemeanor Charles Schwab Self Regulation Great Recession OSHA Elder Fraud Mortgage TOD Absolute Immunity JPMS Margin Call Unjust Enrichment Mutual Funds CPA Membership Continuance Credit Suisse Statutory Disqualification Committee Hacking Registration Commission Unsuitable Small Firm Governor NoCA Website Rationale Diversity 1Cir supervision NDCA TheBlot Exam Pennystocks Standing Appointments Clause Arbitraiton Undisclosed Settlement ADA JPM Test Center Passcode BrokeAndbroker Inability to Pay RBC money laundering Mother IPO Finra Election Away Accounts Scottrade Immunity Rule 2210 Testimony Real Estate Robert Cook Annual Compliance Questionnaire AAA TCR Feigenbaum Spoliation Cannabis Statement of Corrective Action WB-APP Rule 13805 Waiver 6Cir Trade Secrets Written Supervisory Procedures 9/11 securities industry commentator State Actor E*Trade Rule 12504 Concentration Reg S-P Bandimere BrokeandBroker Extraordinary Cooperation Rule 9554 CEO Excessive Trading Sexist Affiliate Variable Annuities Michael King Biden Variable Annuity Hurry Sarbanes Oxley Form ADV brokeandbroker FINOP Compensation Imposter Michael King Associates Tortious Interference Solicited Irreparable Harm Restitution Johnny Burris Newman Superior Court FMLA Unsolicited DMD NRF Wachovia Facebook Star Wars Series 7 Medical Condition BrokeAndBroker Bill Singer FINRA Small Firm Rule 12212 Termination Fidelity Hester Peirce DDC Churning Conflict of Interest EDNY Ethereum Administrative Remedies Circuit Court Taxes Confidentiality Trading Platform Customer Information Non-Solicitation Subpoena Default Motion to Compel Sharemaster Financial Professionals Coalition Beneficiaries Research Sexual Discrimination ICO Talman Harris High Frequency Trading Pennystock Self Reporting Constitution Continuing Education Life Insurance Scottsdale 10b-5 Customers McDuff Self Directed PAQ Kon Social Media Marines Vietnam Marine Corps Honorarium Whitman Relevant Disciplinary History Consent Order Ride the Thunder Employment Agreement VIX IM Mutual Fund Service Hugh Hewitt Funds Rule 3030 Wanger Extraordinary Circumstances Stipulated Award Internet Rule 3310 Flash Crash Boycott Saad RMBS Hearing Sexual Harassment Government Accountability Project Information NSF SunTrust Cheating Check Kiting Guitron Obstruction RICO Lawyers Debit Card Wedbush Yesenia Guitron Testing ATM 5Cir Probate Respondeat Superior Privilege FNMA FINRA AWC Private Placement Dementia Scholander Interactive Brokers FOCUS Layering Nondisclosure Annual Audit Falsification 17a-5 Check JP Morgan Securities Guest Bloggers EEOC Lawyer Morgan Stanely Federal Reserve Chevron Son Revocation Capital Gains securities fraud Conflict SP Pension Prudential Oral Discretion Shah Gilani Slander Charity Penalty OWWP Hedge Fund Confirm Disciplinary History wire fraud Attorneys Fees WBAPP GameStop mail fraud Amazon Client Information Gamification Regulation SP Outside Counsel Fiduciary Duty Rory Flynn Acosta DCO Rule 1210 Blackbook Forex Executor Relevant Transamerica Liquidation NY Life Res Judicata Offset Puerto Rico Bonds Permanent Bar ARS Form TCR CDO SD FCI Rule 13504 Death Peirce ACH Joint Account Over Concentration WhatsApp Tesla FCI Beaumont FAP Zoom Texting Newport Coast Securities LLC Jennifer Tarr Obstruction of Justice Christian Stanley Rule 21F Arbitration Civil Rights Unauthorized Practice of Law Taft Correctional Institution Cold Spring Advisory Group Reverse Life Insurance Lehman Third Party Vendor Deferred Compensation Bear Stearns Oppenheimer Rule 13104 MSSB Elder Law 40 Act Withdrawals Rule 2430 Expert Witness Leveraged ETF Google OCIE Crime Embezzlement Control Person Non Solicit Securities America Libel Pruco Time And Price Commodities Fraud Verbal Discretion For Cause Book of Business First Amendment fraud NYG Capital Turnover EDPA bill singer Counterclaim Subject Matter Jurisdiction Tennis Court Mistake Trade Practices Oilpro Charge Rule 13904 Rule 12104 Calls Cantor Fitzgerald Allocation Compliance Questionnaire Trading Jay Clayton Retired Woman With Cane 10b-10 Constructive Discharge Rule 3210 Johnson Purshe Kaplan DAO Powell wrongful termination AWC. FINRA FINRA Arbitration Teleconference Finder\'s Fee Rule 12203 Hotel Jarkesy Nationwide ESOP Kierkegaard Motion Reason for Termination LIBOR AXA YouTube Administrative Process SDOH Non-Disclosure ESG CE Fernandez Trader Tax Advice Pham Panama Telephone Vungarala Cherry Picking Expulsion Lorenzo Nicolas Corcione Fundacion Nicor Ten Commandments Credit Cards SDCA Retroactive Bar Collateral Bar Municipal Advisor Fine Financial Disclosure Retroactive Pershing GME FNI Media sexism NRSRO DRS NFT Section 1332 Exception Reports Schottenstein Bartko FINRA Foundation Negligence Private Placements ALJ Grimes Third Party Beneficiary Transparency JOBS Act Last Known Address QuadrigaCX Mantar GAP Rule 21F-17 In House Counsel CD NYAG Communications Undertaking expenses Promoter SLUSA Accounting JAMS In Connection With Deceased Customer MAP reimbursement TSSB HSBC false statements AMC Rule 13206 Reg SHO DMCA Gross Ruder Task Force Confidential Audit Committee Sharing Agreement Books and Records Kiting Rule 144 VXX Corporate Governance Motion to Compel Arbitration Back Dated Equity ACT! Tysk Altered Apartment Particularity Declaratory Judgment Rule 13212 Lek Rule 13201 Ethics Court of Appeal Orders Daspin Rule 2140 APA Title VII Motion to Exclude Section 206 PSRO Joint Production Discharge Exception Report Salman Stephen A. Kohn Self Regulatory Organization Investment Advisers Act Kent Transitional Bonus UIT MSPB Ruemmler Production Bonus Burden of Proof Notice Alcoholism Jury Instructions Harris finra Confirmation NPI Sterne Agee ALJ Foelak NMS Covid-19 Shotgun Pleading Risk Romer Article V Motiion to Acquit Fraudulent Inducement Grievance LOA annuities Wires Crowdfunding Hacker Confidential Customer Information defamation Rule 12511 Bob Dylan Data Meals Office of Special Counsel Escrow Clearing Firm Bill singer Unauthorized Trades Stipulation Reasonable SIFMA S&P Microcap elderly Motion to Postpone Electronic Communications Fidelity Brokerage Services Public Arbitrator Dostoevsky Bezos Municipal Bonds Berthel Fisher ETFs Expert EDVA FOREX Currency CNBC Income Capitalism No Show Series 79 Guardian Punitive Cryptocurrencies PN Exotic ETF Clayton Lexicon Reg D Ecuador Production Hayden Newbridge MDLA Daughter Witness Tampering JPMorgan Chase NYLIFE Non-Solicit Rule 420 Voya Principal Quasi Governmental Exemption Non Compete College Solomon Day Trading Disability Regulation Elon Musk Restaurant Private Actor Disparate Treatment Abstention AI Chief Compliance Officer Willfull Nietzsche Bequest Rule 2330 Rule 9216 Unregistered Fee Conflicts Rule 1031 Game of Thrones whistleblower Initials Perjury Investment Adviser Howey Harassment Vaccarelli Led Zeppelin Broke And Broker Judgments Traders Exhaustion Doctrine SIE Success Fee TradeStation ADR