When it rains, it pours. 

In the last month alone, we had 2 cases of IP theft from internal staff. The last time something like this happened was over 7 years ago. It’s a pretty rare thing, and funny that two incidences should happen together. I am sharing these experiences to share how we are dealing with them, and to collect feedback on anything else we can do. 

Case One

In the first case an offshore employee was given his 2-week notice for being shoddy at work. During this time he was supposed to have finished pending tasks and pass on his work to someone else. However this guy, since he had access to our SVN, decides to copy the entire codebase locally, and also figures out how to download parts of the DB such as the all-important user table. Part of it was a security loophole on our side. Rest of it was him being an asshole. 

What we did about it

Confronted him. Initial reaction denial. When presented with evidence such as server & IP logs, SVN history etc, still denial. I then reached out to his new employer (the one where he was going to work at next) and informed them about what happened. Suddenly, this guy’s story changed. He admitted to wrongdoing in writing, returned everything, and promised never to do this again. He also got fired from his new job. Since the data stolen was relatively inconsequential, I consider this appropriate “punishment.”

Lesson: Contacting past and future employers and letting them know works. 

Case Two

This was a much more serious infraction. A former offshore contractor, after having been let go, stole code from one our products wholesale. Blatantly. The HTML/CSS, the marketing and legal copy, the Javascript – all was exactly the same. Fortunately we made copies of everything early on, to prevent against future re-writes. He then proceeded to use this stolen code to launch a new product based on an internal project that was in the works, that he personally had worked on.  The stolen idea+code was put up as remonk.com

Since this person was not working for another company, the easy and quick approach in Case #1 wouldn’t work here. 

What we did

The options were:

1. File a local police complaint / lawsuit in the local country

2. Contact the local mafia. 

3. Prosecute their US-based partner*

*I know he has a US-based partner since some of the third-party payment processing services require a US company or person to sign and operate those accounts.

We ended up pursuing all 3 options. #1 is pretty slow and ineffective, especially if its a third-world country where there is little rule of law. Thieves and murderers rarely get caught, so IP theft is pretty low on the list of priorities of law enforcement. #2 is something that’s a long-shot, but may turn out to be effective. We’ll see. #3 is underway. A lawsuit has been filed here, subpoenas issued, and within the next 30 days or so I’ll know who the US counter-parties are and we will prosecute them as aiders and abetters of this crime. 

The cost of this lawsuit will likely be greater than the small damages incurred, but it is a matter of principle. You can’t let people F*** with you and get away with it.