Legislation & Litigation , Standards, Regulations & Compliance

SecurityScorecard Accuses Vendor of Stealing Trade Secrets

Firm Claims Safe Security Competed Unfairly, Engaged in 'Skullduggery'
SecurityScorecard Accuses Vendor of Stealing Trade Secrets

SecurityScorecard filed a lawsuit accusing cyber risk management rival Safe Security and former employee Mary Polyakova of engaging in unfair competition and misappropriating trade secrets.

See Also: Meeting the Mandate: A Proactive Approach to Cybersecurity Compliance and Incident Reporting

The New York-based cyber risk ratings vendor alleged that ex-employee Polyakova stole confidential information about the company's customers and prospects before leaving last month to join Silicon Valley-based Safe Security as a sales vice president. The information cost SecurityScorecard more than $40 million to compile and includes details on 9,300 customers and prospects, according to the firm.

"While brazenly touting a 'revolutionary' approach to cybersecurity risk management, defendant Safe's only true 'revolution' is its unconstrained reliance upon unlawful skullduggery and unfair competition to build its business," SecurityScorecard said in a 30-page complaint filed Tuesday in the Southern District of New York.

Safe Security CEO Saket Modi said the company stands behind the efficacy and integrity of its products and refutes any allegations made by SecurityScorecard. "Most of our competitors, including Security Scorecard, are laying off significant portions of their teams because of the poor performance of their business," Modi said. "It's not surprising our success is drawing attention from legacy providers" (see: Safe Security Buys Cyber Risk Quantification Vendor RiskLens).

An Ex-SecurityScorecard Worker Allegedly Spills the Beans

SecurityScorecard accused Polyakova of misappropriating an extensive list of the company's customers and prospects, including the Master East List and CISO Prospect Lists, which she allegedly emailed to her personal account. The detailed customer information contained on these lists could critically damage SecurityScorecard's business if misused by Safe Security, the company claims.

Information allegedly stolen by Polyakova could facilitate Safe Security's unlawful poaching of SecurityScorecard customers and prospects, which the company alleges could cause irreparable harm. Polyakova spent more than four years in SecurityScorecard's sales organization before joining Safe Security in May as vice president of central sales.

"SSC's customer and prospect list is the direct result of years of marketing and sales efforts and cannot be replicated through publicly available sources," the company said. "SSC therefore undertakes considerable efforts to maintain the secrecy of its confidential information, including the Master East List and the CISO Prospect Lists."

Along with attempting to poach SecurityScorecard's clients through the data Polyakova allegedly shared, the company claims Safe Security unlawfully accessed SecurityScorecard's customer platform through fake accounts to enhance its own cybersecurity offerings. Safe Security used this access to quality-check its products and make misleading comparisons on the company's website, SecurityScorecard alleges (see: Bitsight, SecurityScorecard, Panorays Lead Risk Ratings Tech).

"Safe has used a shell company or an entirely fake domain to impermissibly access the SSC [SecurityScorecard] platform to perform competitive intelligence gathering," the company said. "This appears to have included trying: (i) to see the SSC products and services purchased by SSC customers; and (ii) validating SAFE's own offerings to customers."

Fake Accounts and Fake Job Interviews

These alleged actions would violate SecurityScorecard's end-user SaaS agreement by impermissibly accessing the company's platform for competitive pressures, including using IP addresses registered under fake domains. SecurityScorecard said Safe Security launched a marketing offensive that includes derogatory statements and the creation of a webpage dedicated to comparing its services with SecurityScorecard's.

"On April 9, 2024, Safe's Co-Founder and Chief Executive Officer, Saket Modi, bragged to SSC's President, Sachin Bansal, that Safe was interviewing former SSC employees with no real intention of hiring them for open positions," the company said. As proof of these illicit fact-finding endeavors, Mr. Modi touted to Mr. Bansal confidential statistics on SSC's hiring and restructuring practices."

SecurityScorecard claims Safe Security also conducted fake job interviews with its employees to extract confidential business information. The company is seeking monetary damages as well as a court order to stop Safe Security and Polyakova from using or disclosing the information that was allegedly stolen. The company says Safe Security ignored its cease-and-desist letter and continues its unlawful activities.

"Even when caught in this web of deceptive wrongdoing, Safe has simply adopted a 'deny, deny, deny' posture, effectively doubling down on their unlawful conduct," SecurityScorecard said. "That’s precisely what necessitates the injunctive relief now sought here, to put an immediate end to these unlawful practices and protect SSC's trade secrets and confidential and proprietary information."

SecurityScorecard said it has invested more than $200 million in developing its customer and prospect base and has measures in place to protect its proprietary information. By emailing SecurityScorecard's confidential lists to her personal email before joining Safe Security, the company alleges Polyakova intended to use the information to benefit her new employer and facilitate Safe's customer poaching.

“We strongly believe that fair competition is healthy for the market and adds value for customers," a SecurityScorecard spokesperson told Information Security Media Group. "However, in circumstances where unethical practices stifle innovation and threaten the integrity of the market, we are compelled to act."

About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.