Nike Blames NSI For Site Hijacking
by Ann Harrison
The hijacking of Nike's Web site last month has sparked an international argument over whether the footwear company or Internet domain-name registrar Network Solutions (NSOL) should bear responsibility for the temporary theft of Nike.com.
The hijack took place June 21, when a group calling itself S-11 redirected traffic from Nike.com to servers at a Scotland-based Web-hosting company in a slap at both Nike and the World Economic Forum. Now, the hosting firm is threatening legal action against Nike.
Greg Lloyd Smith, director of FirstNET Online in Edinburgh, Scotland, said the wayward Nike traffic swamped his company's Web servers and impaired service to its real customers. After unsuccessfully trying to bill Nike for use of his servers, Smith said he's preparing to sue the company, based in Beaverton, Ore., for allegedly neglecting to secure its Internet domain.
Nike, in turn, said the responsibility lies with NSI in Herndon, Va. Changes to the status of Nike's domain status are supposed to be made only via NSI's encrypted and password-protected security system, said Nike spokeswoman Corby Casler. But NSI used a spoofed piece of e-mail from the S-11 group as authorization to change Nike's registry information without requiring a password, she says.
"We're still looking into exactly what happened," Casler says. "We were told that we had encryption and that we were secure and for some reason it fell through."
Casler added that Nike has locked down any further changes to its registration information at NSI and is investigating the most secure way to manage its domain. Nike is also working with the FBI and local police in Oregon "to see exactly what happened and who is liable," she said.
Smith disputed Nike's claim that it had access to the Crypt-PW encryption system through NSI, and it charged that the footwear maker subscribed to a level of security that lets changes to its domain-name information be made from an approved e-mail address. "A responsible company would not deny the fact that their domain was stolen because they did not have satisfactory security in place," Smith stated via e-mail.
However, Casler insisted that Smith's claims are inaccurate and said that Nike doesn't consider itself liable for the unintended usage of FirstNET's Web servers. Smith "did try to bill us for it, and our response is, we are both victims, and the real problem is [with] whoever it was who hacked into the system," Casler says.
Smith got into a legal battle with Amazon.com (AMZN) last year after the company won a preliminary injunction against him for using the Amazon.gr domain name in Greece in an alleged attempt to coerce a partnership. But Smith rejected any suggestion of involvement in the action against Nike. "No one from this company has anything to do with the original redirection," he says. "Our involvement was as an injured party."
NSI, which declined to comment on the circumstances surrounding the Nike domain theft, has come under harsh criticism for similar thefts in the past, including the heist of 1,300 domains from Internet.com in May.
Alan Meckler, chairman and CEO of Internet.com in New York, said NSI told his company that its registry information had been changed by forged documents that were faxed. The FBI is also investigating the theft of his company's domains, Meckler said.
NSI officials "deny that it's their fault," Meckler says. "But the fact is that if you pay [NSI], you are presuming that in the morning the last thing you have to worry about is whether you own your domains. If it's not their fault and it's not Nike's fault, then whose fault is it?"
But Connie Ellerbach, a partner at the Fenwick & West law firm in Palo Alto, Calif., said case law indicates that NSI wouldn't be liable for the domain theft because it's merely a conduit for domains and doesn't take responsibility for their validity or for changes in domain-name registrations. A domain theft suit brought against NSI by Sex.com was recently settled in favor of the domain-name registrar, she said.
Ellerbach added, though, that it would also be difficult for FirstNET to prove that Nike was negligent. "They would have to seek their damages from a third party that changed the registrations," says Ellerbach. "How is Nike going to police registration of a domain and keep them from spoofing or fooling NSI?"
Meckler said some of the domains stolen from Internet.com took a week to sort out, but were at least discovered before any Web site traffic could be redirected. "Think of the damage to us PR-wise and revenue-wise if our sites were redirected," Meckler says. "Fortunately, we caught it, but Nike wasn't as lucky."
However, Casler said the impact on Nike product sales made through Nike.com was minimal during the hijacking, which lasted from six to 24 hours depending on when the Web site was reloaded by different Internet service providers. During the incident, Web users who tried to access Nike's site were instead sent to one that criticized the company and the World Economic Forum, a pro-capitalism group that includes Nike as a member.