After social engineering hack, judge rules ‘very poor’ contract won’t save hosting company
The American web hosting service 100TB.com is on the defensive in federal court after a customer, the social network Xat.com, suffered multiple breaches it says came via a social engineering attack that allowed an unidentified hacker to wipe servers, steal intellectual property and erase logs.
In response to 100TB’s motion to dismiss the lawsuit, a federal judge in Utah criticized 100TB’s contracts as “very poorly drafted,” overly broad and possibly unenforceable because they attempt to make the company almost completely devoid of responsibility for mistakes that damage customers. That kind of total liability waiver rarely stands up in court. Xat’s lawyers claim total damages tally to $500,000.
The contract between Xat and 100TB limits the hosting company’s liability to a single month’s fees which, in this case, amount to $2,715.95. The amount is so small, U.S. District Judge Paul M. Warner wrote, that the “trivial sum is just window dressing for eliminating liability altogether.”
Companies can write and agree to whatever they want in their contracts but it’s the courts that ultimately decide if any of the legalese carries any weight. In this case, the judge is leaning heavily toward no.
Xat’s blow-by-blow of the hacker’s attacks paints a portrait of 100TB as dangerously incompetent. After months of warnings about repeated malicious social engineering attacks, the hacker finally gained control of Xat’s accounts on Nov. 4, 2015.
“On November 4, 2015, an unknown third party successfully convinced 100TB to add an unauthorized email address to Xat’s account, to turn off two-factor authentication on Xat’s account, and to give the unknown third-party control over Xat’s servers,” according to Xat’s complaint. “The attacker(s) damaged one of Xat’s servers, stole proprietary software, and wiped the server so that Xat was unable to recover data from it.”
The company asked 100TB to back up and shut down the servers until the attack was contained. That did not appear to happen at all.
“On information and belief, 100TB did not power-down at least three of Xat’s servers after the First Cyberattack, did not turn on two-factor authentication, and did not backup the data on the Xat servers,” Xat claims. “On November 8, 2015, an unknown third party gained root access to Xat’s main server through 100TB. The unknown third party accessed Xat’s proprietary log files, databases and source code, and erased system log files from Xat’s server.”
Neither Xat nor 100TB responded to a request for comment on the lawsuit. Read the judge’s decision below:
https://www.documentcloud.org/documents/3455238-4a40b019-77ce-4ec4-9f9c-179199136cca.html
