the company to recoup $5.5 million in stock
buybacks they said they were unfairly denied.
At the heart of the dispute was an attack by
hackers who used Kaseya’s VSA as a conduit
to deploy “Litecoin” mining malware, which
secretly hijacks a victim computer’s power to
make money for the hacker by processing new
cryptocurrency payments.
Kaseya publicly disclosed the attacks in a March
2014 notice to customers. Privately, it was blaming
the company’s previous leadership for not
warning about “serious vulnerabilities” in Kaseya’s
software. It sought to deprive them of the final
$5.5 million of the acquisition price to compensate
for the loss of business and damaged reputation.
The founders, in turn, blamed the new leadership
for scaling back on coding expertise and
eliminating a “hotfix” system for rapidly fixing
bugs, according to the lawsuit from Sutherland,
Wong, former CEO Gerald Blackie and former
Chief Operating Officer Timothy McMullen.
They also argued that the SQL injection
technique used by the hackers was highly
common and “inherent in any computer code”
that uses the SQL programming language.
“Ensuring that each and every piece of database
access code is immune to SQL injection is
essentially impossible,” said their lawsuit. Mellen
and Moussouris both rejected that assertion.
“That is a bold statement and provably
false,” Moussouris said. “It highlights the fact
they lacked the security knowledge and
sophistication to protect their users.”
None of the plaintiffs or their lawyers responded
to requests for comment. They agreed to dismiss