Small firm hit by 3-year hacking campaign puts face on growing cyber problem

NEWYou can now listen to Fox News articles!

For three straight years, a group of Chinese hackers waged a cyber war against a family-owned, eight-person software firm in California, according to court records.

It started when Solid Oak Inc. founder Brian Milburn claims he discovered that China was stealing his company's parental filtering software, CYBERsitter. The theft hurt their business and sales, which was bad enough. But twelve days after he publicly accused Chinese hackers, he says he was inundated by attempts to bring down his Santa Barbara-based business.

Hackers broke into the company's system, shut down its email and web servers, spied on employees using their own webcams and gained access to sensitive company files, according to court records.

"We started watching sales go down," Milburn told Thursday. "We depend on cash flow and it's not like we're Apple or Dell who have lots of money. We needed to pay our bills, pay our employees and pay our salaries."

So Milburn waged his own one-man cyber fight against one of the most prolific and patient hacking teams around.

More On This...

He didn't have help from authorities, lacked the cash larger companies have and faced an unknown giant pretty much on his own -- and, last year, won a $2.2 billion settlement, from a decision in federal court in California.

Milburn's case is rare in that it ended with a big judgment -- though he declined to say whether he's received the money. But, while Solid Oak is one of the few small companies that have spoken out in detail about being victimized by hackers, the threat of cyber-assault has become all too common.

Apple Inc. reported earlier this week it was hacked by the same group that hit social-networking monster Facebook in January. The security breaches are the latest in a string of high-profile attacks on companies including The Wall Street Journal and New York Times.

Cybersecurity firm Mandiant also came out with a report earlier this week that accused a secret Chinese military unit in Shanghai of years of systematic cyber-espionage against more than 140 U.S. companies.

Adam Levin, co-founder and chairman of Identity Theft 911, says that for most companies it's not a matter of if they will have a breach but when.

"No company is ultimately immune to this," he told "A lot of the times this happens from spear-phishing -- employees at companies are opening things they think are from people within their organization or things that they think are related to their companies. They open the door, and we get killed."

According to cybersecurity experts, high tech spies have been targeting small- to medium-sized companies at alarming rates. Businesses that make the leap to computerized systems often leave their digital identities exposed and primed to be plucked by hackers.

"You hear about the big breaches on the news but what you don't hear is how they happen every day at a lot of medium- or small-sized companies," Angie Keating, CEO of Reclamere, a data security company, said.

Keating's team helps smaller businesses fend off online thugs and has followed cyber trails that have led to rogue Russian PayPal accounts and other digital money mule scams which shift ill-gotten gains from account to account. Even though one of her clients reportedly was hacked by the Chinese, Keating tells the threat isn't limited to one or two international culprits. In the time it takes to break into a major company like Apple, a home-grown hacker can steal data from dozens of smaller businesses and not be detected.

"They are the perfect target," she said. "If you have your business accounts tied in to an online bank account, I can get the routing numbers and then I can start moving money around. I can start a separate account, accept a wire transfer or send out a transfer."

One of Keating's clients, a small chiropractor's office, had their data hacked and held hostage. A person pretending to be from Microsoft got an employee to give up her password and from there wreaked havoc on the system. While Keating's team was able to untangle the tech mess, she said many other companies have not been so lucky.

Across the country many businesses victimized by cyber criminals are afraid to come forward. Several declined to speak to for this article.

Generally, they fear the stigma attached to being hacked and say admitting it sends a bad message to customers that their company isn't safe. Others simply don't have the cash to front an investigation and end up spending thousands of dollars trying to get out of the red or simply out of business.

"If I knew at the beginning what I know now, I'm not sure if I would do it again but I'm kind of stubborn," Milburn said, in reference to his lawsuit against the hackers.

Milburn's micro-tech billion-dollar victory against the Chinese government as well as a string of companies tied to the government but operating in the U.S. is a rare example of a small business taking on a giant and winning. But it wasn't easy.

"From a legal perspective, it hasn't really been done before," he said. "There was no precedent. It just didn't exist."

Milburn said some business owners have heard about his struggle and asked for advice.

"I tell them they need to be prepared for the absolute worst," he said. "I knew from the first day we started this that the battle was going to be way uphill."

Milburn said that while there was a settlement reached in his civil suit, that doesn't mean he's out of the cyber woods.

"I'd like to be able to say that all the abuse has stopped but we'll probably stay on their list for a long time," he said.