New York-based Reis Services has amended its data piracy lawsuit to name a defendant. At the time of the original filing, on August 21st, Reis knew the suspected thief’s IP address but was unsure of their identity.
Reis’ database contains information on commercial properties in 275 of the largest US markets. They offer pay-as-you-go access or subscription-based access to their data. According to the amended complaint, filed last week in a Manhattan federal court, they have pinpointed an alleged thief, claiming it must be someone within Greenville, South Carolina-based Armada Analytics, a company offering due diligence services for real estate loans and acquisitions.
Armada Analytics, which is privately held, has not responded to requests for comment. According to their website, the company was established in 2006 to underwrite mortgage debt. In 2009, they began offering commercial real estate due diligence, including property financial statement analysis and portfolio risk monitoring. In 2013, they added a zoning report service and site inspections. Most recently, in 2015, Armada added an insurance review platform for monitoring policies associated with mortgaged collateral.
Armada has satellite offices in Dallas, Detroit, Atlanta, Denver, and Washington DC, but not in Austin, which is where Reis had originally speculated the data theft was occurring.
Like many industries, CREtech companies are becoming increasingly vulnerable to the threat of corporate espionage and theft of proprietary data.
According to Reis, an internal investigation has confirmed that multiple employees or affiliates of Armada were using misappropriated login credentials that belonged to legitimate Reis subscribers. After Reis learned of the unauthorized access and demanded payment, Armada stopped using the database from the IP address in question but Reis contends that Armada continued to obtain reports through other Reis subscribers.
Reis’s Compliance Group was able to discover the IP address using the “reverse lookup” feature of various brand protection and cybercrime investigation tools. Through registration activity on Reis’s public-facing website, they were able to identify David Beall, a principal of Armada, who identified himself by providing his name and an armadaanalytics.com email address. Upon further investigation, Reis learned that Beall had obtained the login credentials from the legitimate Reis subscribers and purported to use them on the subscribers’ behalf.
Reis has requested a trial by jury and is seeking $629,010, representing the value of the 1,562 reports allegedly downloaded without permission from February 2011 to March 2014, plus punitive damages, attorney’s fees and expenses.
Like many industries, CREtech companies are becoming increasingly vulnerable to the threat of corporate espionage and theft of proprietary data. Often a company’s most valuable asset is the real estate information they collect along with reports and analysis. Problems arise because companies are storing and retrieving information from the cloud and allowing access to data via remote login and APIs (application programming interface), both of which are susceptible to misuse.
In the case of Reis data, employee login credentials were compromised, allowing easy access to what otherwise may have been a secure server. But even without a rogue employees help, API keys and authentication tokens, run the risk of being intercepted and used in a non-approved way.
Tech companies need to implement well communicated policies and procedures to protect their confidential data. At a bare minimum, companies should have an Acceptable Use Policy for both employees and customers; a Data Classification and Retention Policy that outlines who needs access to what; and New and Departing Employee Procedures.
Even with rock-solid policies in place, it’s almost impossible to prevent an employee from stealing proprietary data or allowing someone else unauthorized access to it. Because of this, companies should also use technical solutions to help protect themselves, like Reis did when they discovered unusual data access and download patterns from specific IP addresses. Without that proactive approach, the data theft may have continued undetected.