I had an interesting situation yesterday in the business.
It was a simple enough theft that had enormous ramifications if left unchecked and really underlined to everyone here how important an understanding of business strategy and the law is when running any sort of business.
Business ain’t all beer and skittles.
Sometimes you have to step up to the plate and fend off attackers.
Here’s How It Went Down
Here’s how it went down.
In the morning, we discovered that a simple contact form plugin we’d made for WordPress (a Content Management System) had been stolen from one of the sites we use it on.
Essentially what it is is a little bit of software that creates a Contact form on a web page. It’s a nice bit of programming by one of guys that automates the creation of the Contact form, thus saving us a bit of time.
We wrote the code, so we own the copyright.
Simple.
How Was A Competitor Using This Plugin?
We discovered a web design company competitor was using this very plugin on their very own site.
The plugin had been stolen and used without our permission.
Now that’s bad enough.
What Makes It Worse Than A Simple Theft
But what makes it worse is that to steal this plugin, the web design company would have had to either hack the server that a client’s site was hosted on (and numerous clients have this plugin installed on their site) or been give the FTP (server) username and password.
So I needed to know how they stole this bit of software.
If they stole the software by hacking a server, then potentially hundreds of sites could have been compromised and we’d need hours and hours of work to re-secure every client’s site on that server.
We’d then need to reassure all of our clients of the safety of the service we provide.
If the theft had occurred after the web design company had been given the FTP details willingly by a client then it’s no big issue in terms of security for our clients – we’re just dealing with a common garden variety thief who had access (which is quite okay) and saw an opportunity to steal.
Like I said, I really needed to know how they stole this bit of software.
Anthony, our programmer, had contacted the web design firm earlier in the morning to ask if they’d stolen our software. After a minute or 2 they confirmed they had indeed and removed the plugin from their site.
I Asked Some Questions
Now it was my turn.
I emailed the owner of the business:
“Howdy XXX
We’re trying to figure out how you guys managed to steal that contact form plugin Anthony called about earlier.
You would have needed FTP access – can you let me know if you’ve taken over a client’s site (and who) or if you hacked the server.
Cheers
Brendon”
The web design business owner emailed me back with his answer that it was one of our client’s who provided access to their site and “due to privacy reasons I’m not at liberty to discuss who.”
Good one!
You Steal From Me & Now I’m Meant To Trust Your Word?!
Okay then – you steal from me and now I’m meant to take your word that you haven’t hacked a server without any proof that what you say is true.
My response to his email was pretty easy:
“What a crock of crap – which site?”
The guy then rang to say he wasn’t going to tell me which client, citing client confidentiality.
Steal Stuff, Then Take The High Moral Ground!
Not a bad try taking the high moral ground when your business has been discovered stealing other people’s hard work!
I mentioned to the guy that I’d like to know or I’d implement strategies to find out. He seemed to find that threat a bit amusing, but here’s what he needed to understand:
- This guy’s business has stolen from me.
- 1 of the 2 ways he could steal from me involves a way that would compromise the security, potentially, of 100+ client web sites.
- If I didn’t exhaust all avenues to discover how the theft was enacted here’s the situation I would have found myself in:
I’ve failed the duty of care to keep client’s sites secure by any reasonable definition and standard.
Can you imagine if this thief then steals credit card data from other compromised sites and the client discovers I knew that there was a 50/50 chances that someone had hacked into their system and I’d done nothing about it?
That I trusted the word of the company who stole from me??!
I would be:
- open to significant legal action,
- be partly liable for losses and
- be sued without doubt.
(And I reckon everyone would think I’m the dumbest clown in the world!)
As we’ve seen with hacks into banks and major government sites, hackers can get in. But that shouldn’t stop you from taking all reasonable precautions to stop them.
My Business Could Possibly Fail As A Result
My reputation would be destroyed and my business, which I’ve built up over 12 years, would potentially fail.
But this guy didn’t understand all that.
He thought it was just another empty threat from someone.
He didn’t want to breach his client’s confidentiality and supply me the name of our client who’d given them access.
I suggested very strongly he go to the client and get permission to tell me. Sure enough, an hour or so later and I had the name.
You Gotta Understand Consequences Of Your Actions
People don’t understand consequences in business a lot of the time.
There is a lot to do as a business owner other than cash the cheques.
Understanding the strategic moves that need to be made to keep a business viable are a major part of the role of being the Big Cheese.
What Would I Have Done To Find Out How It Was Stolen?
The big question is, and one of the guys in the office asked me, what would I have done to find out the client’s name who provided the server details (if in fact anyone had)?
That’s an easy one.
I would have destroyed the competitor’s business to get it, if that’s what it took.
By the end of the day I would have:
- Written a blog post on this site detailing and naming those involved in the theft
- Taken Google AdWords on the competitor’s name and the name of the owner – linking to the page detailing the mess
- Commenced significant search engine optimisation work to rank # 1 on the competitor’s name and the name of the owner – linking to the page
- Issued a media release to local media berating the local industry for putting up with amateurs who steal – and naming the competitor and the owner
- Issued several online media releases detailing the theft and naming those involved
- Tapped into my online network to disseminate the story widely
- Called, emailed and written letters to all clients who have that particular plugin installed and advising them who stole the plugin and if they have any dealings with that web design firm to let us know immediately
- Sent emails and letters detailing the theft to as many of the competitor’s clients as I could find (he has a few listed on his site)
- Sent my newsletter detailing the theft (might make a good story for the newsletter I write that has 250,000 subscribers too)
- Commenced legal action for copyright infringement
- Made a police complaint re the theft
And that’s just before dinner on Day 1 – I’d be very tired by then!
I wasn’t going to stop until I’d figure out how the plugin was stolen. I couldn’t stop – either I get that name OR my business, the jobs of everyone here and my livelihood are at significant risk.
It’s Just A Simple Bit Of Software – Does It Really Matter?
Now we discussed this in the office – it’s just a simple bit of software that’s been stolen, so does it really matter?
Yes, it really matters because the ramifications of that theft can be tremendous.
I wouldn’t have had a choice to do what I had to do.
Understand that business is about strategy and minimizing the risk of failure and maximizing the chances of success.
It might just be a simple bit of code you’re taking, but understand what could be the possible consequences of a seemingly simple theft.
Cheers
Brendon
Cheers,
{ 23 comments… read them below or add one }
Very good points raised here. It is about so much more than just a simple bit of code.
Yep.
Doing dodgy stuff opens up a whole can of worms. You have to understand, as a business owner, what the consequences can be of theft.
Only then can you effectively manage the situation.
Cheers
Brendon
Great stuff! I would have done the same thing. Gotta bookmark this just encase.
Kudos! well done! As a web developer myself and having a software development firm, I can empathize with you in every way regarding the issue. I’m glad you’ve taken the right steps to nail that thing in just a day.
Cheers!
Exactly the reason why business people should get pros to do their websites for them, and not high school students for eg. You simply don’t know what you don’t know at times.
Thanks guys
Yep, web design is often not about the design.
Very well executed. Some people just lack ethics, plain and simple. I wonder how they sleep at night or feel when they look in the mirror.
Great work, Brendon. I’m glad you didn’t have to go to those measures on this occasion, but equally glad that you were willing to.
People often don’t take small crimes like this seriously. But when you think about the possibilities for other crimes that it opened up… you really can’t afford to have that attitude.
Great stuff Brendon. A zero tolerance to any crime works better than allowing lots of little things to fester. When teh law is on your side and you know you are right, it is a powerful alied
I’m not sure about Australia; but in the US if someone admits stealing something you have a pretty cut and dry case for damages. Client confidentiality is the least of his worries.
Well done Brendon, Glad you highlighted this.
But, now multiply this out for the music industry and the film industry! We have an epidemic of people with light fingers, help themselves attitudes out there.
It seems that there is a culture in our youth that think it is OK to copy software, music and films cause they are poor and their victim is richer than them. I have many contacts / friends that just cannot see that this is stealing. They use all sorts of arguments, “I could not watch the video then, so I copied to watch later”, then they have the copy forever, lending it to their friends.
There’s so many different areas that this gets into that it’s mind boggling.
I haven’t bothered notifying the client who gave their FTP details to these guys as I figured enough hassle already.
At what point do you think it’s wise to remind clients of their legal obligations in a situation like this?
If this client has decided to take their business elsewhere, do they realise how much of their site they “own” and how much they are merely “licensed” to use?
Also, what is the default ownership of these files? Like say you didn’t have it stipulated in a contract that you retain the right to code you write, who owns it?
And like Japh says, is it the client’s legal obligation to not share the code?
I agree, the company were definitely at fault – but the client probably needs to be educated in this situation too. By my terms and conditions, the client would be breaking contract by allowing a 3rd party developer access to our code without prior permission.
Either way – rubbish situation and very glad that you got it sorted out!
I hope you realize that this is why we do business with you!
Because you are a respectable go-getter (and a lot of fun) and we admire the way you do business, you get ours. I have the confidence that if anything like this were to happen to us, we would have you supporting the “right” thing and doing your damndest to keep us “safe”.
Well done & congradulations. What a great list of things to do!
Thanks for the feedback guys.
Yep, tons of issues impact here from copyright, to giving access (we give clients FTP details because they’ve paid for hosting), and more.
And Michelle, I thought you did business with me because I encourage your husband to get a ride on mower??!
Brendon it’s either that or it’s because of how you consistently spell her name correctly :p
Thanks Luke!
Sorted.
None the wiser ;o)
Where do you draw the line on copyrighted code? How about frontend HTML, JS and CSS?
The reason why I ask is that a client of ours just changed CMS systems and ditched us, which they of course are allowed to do, and started using our competitors services instead. Fair enough.
But upon checking their new site I see that alot of CSS and HTML has just been copied across. The site design has changed slightly; It’s a bit wider, the graphics have changed, but alot of HTML, CSS and JS has just been copied straight across, making the transition alot easier on our competitor I presume.
How would you go around handling that, if in fact it is something one should get involved into?
Brendon
I’m still using the proposals I stole from you
And every other document in your book.
OH … yeah ….. you said I could use it …. but it STILL feels like stealing
)))))
Hi Billy
Great to hear from you!
Hope all is well and you’ve had to buy a new mattress under which you hide all that money you’re making!
Cheers
Brendon
Howdy “Amon”
Here’s an idea mate.
Have the courage to sign with your real name and I’m more than happy to publish what you write.
Otherwise you’re just another noise that no-one listens to.
Cheers