We’re used to thinking about the problem of data theft as one driven by straight-up cyber criminals: shadowy operators from overseas who want to siphon off easily saleable data like credit card numbers, Social Security Numbers, user names and passwords.
But a couple recent stories underscore the fact that data theft isn’t just about hackers. Often, the culprit is another company or market competitor hungry for an edge in a competitive marketplace.
Take the case of Heritage Auction House, which said last week that it was suing competitor Christie’s and Collectrium over the alleged theft of sales data. According to the suit, Collectrium staffers set up a range of bogus accounts at Heritage, including an account in the name of one “Jason Bourne” to siphon off data and descriptions of art listings using a spidering program to crawl the Heritage website. (Christie’s bought Collectrium in 2015.) Those listings, which are then attached to objects of art for sale (like this yellow, custom guitar owned by the late pop artist Prince), become part of the intellectual property of the auction houses.
Heritage claims that nearly 3 million listings in Collectrium’s 11 million listing database were stolen from its web site. A Christie’s spokesperson told the web site Artnet that it is reviewing the allegations against Collectrium, but declined to comment further.
This isn’t the first case like this. Apple was forced to remove an app called Magnus from its app store over similar complaints. The app, which promised to be a kind of “Shazam” for works of visual art allegedly scraped artwork prices and descriptions from proprietary databases owned by ArtFacts and Artsy, competitors, and which were allegedly reproduced in the Magnus app.
A similar case is playing out, as well, in the real estate industry, where Washington D.C. based CoStar Group is suing its competitor Xceligent for what it alleges is “brazen and widespread theft” of the company’s data and photos. Xceligent has denied the allegations. It should be noted that CoStar, which sells commercial real estate research services, has a track record of using lawsuits to try to dissuade competitors. In a statement, Xceligent said that it “respects intellectual property rights, including those of its competitors,” and that its data centers operate to ensure the protection of intellectual property rights.
These cases underscore the degree to which companies that are in the business of selling data are left vulnerable to these kind of low and slow attacks. In all these cases, the alleged theft took place not using “smash and grab” techniques like brute force password cracking or SQL injection – the common tools of cyber criminals. Rather, competitors simply used scripts to emulate the perusing of legitimate customers – at scale. In the process, they were able to compile huge amounts of data with considerable value.
Companies are particularly vulnerable to this type of attack when they often offer their data for free or at low cost to the public, but professionals a fee to access and use it on their own site or in other materials.
What’s to be done? Companies that offer such online data stores for a subscription need to be ever vigilant about unusual traffic patterns that suggest a machine – not a human – is behind the wheel. The differences in use patterns between a crawler and an individual human researcher are easy to spot – if you’re looking for them.
Behind the scenes, companies also need to pick any low hanging fruit: making sure that free or temporary accounts can’t be abused to siphon off reams of data and watching for patterns of abuse among registered and paying members. Application security flaws such as weak authentication and SQL injection should, of course, be patched.