A virtual private network operator has alleged that rival NordVPN threatened to publicly release confidential information obtained through a former service provider. 

In a lawsuit filed in the US District Court for the Middle District of Florida on 24 May, Data Protection Services LLC, which does business as TorGuard, said NordVPN and TorGuard former service provider C-7 “wrongfully obtained and used TorGuard’s confidential and trade secret business information to blackmail TorGuard”. 

TorGuard said it had previously used Canadian hosting company C-7’s services, and now believes that NordVPN owns or controls it. TorGuard said C-7 had acquired the confidential information, which it uses to provide VPN services to clients and develop other technology, when it provided services to TorGuard. 

Florida-incorporated TorGuard said NordVPN, which is based in Panama, threatened to release the information unless TorGuard “forced or coerced” an unidentified third party to cease publishing “legitimate criticisms of issues associated with NordVPN’s business practices”. 

TorGuard said an unidentified individual approached one of its contractors at his personal residence, asking to speak about his relationship with TorGuard and the VPN industry. 

Within an hour of that visit, the company said, the contractor received correspondence from a NordVPN employee saying it had received TorGuard confidential information and would publish it if TorGuard persuaded an individual to remove negative YouTube postings about NordVPN. “NordVPN stated that if TorGuard did not comply, NordVPN would publish TorGuard’s confidential and trade secret information,” the lawsuit said. 

TorGuard said NordVPN went on to use the information it had obtained to carry out distributed denial of services (DDoS) attacks on TorGuard’s website, affecting the company’s relationships with clients as many were unable to sign up for its services. 

“The DDoS attacks directed against TorGuard were based upon the information – the nature and way they occurred and were timed made it patently obvious that the attacker had obtained the information from C-7 and was utilising it as a roadmap for DDoS attacks,” TorGuard said in its complaint. 

The company said NordVPN and C-7’s conduct constitutes a violation of Florida’s Computer Abuse and Data Recovery Act and trade secrets legislation, as well as tortious interference with TorGuard’s business relationships. TorGuard seeks compensation for losses it has suffered, with the amount to be determined at trial. 

A NordVPN spokesperson told GDR: "We are aware of the lawsuit, although it is rather difficult to take it seriously. All accusations are entirely made up."

She said the company had received information that led it to find a TorGuard server configuration file available on the internet, and noticed that one of the company's servers that contained private and sensitive information was left unprotected and publicly accessible.

"We disclosed the vulnerability to them with the best intentions," she said. "It is a normal practice and just the right thing to do, but they decided to file a lawsuit for blackmail."

The spokesperson added that the company now has "no choice but to take countermeasures."

Counsel to TorGuard

Losey

Adam Losey and Karen Middlekauff in Orlando

This article was originally published on Global Data Review, the only publication that analyses the law and regulation of the use and trade of data around the world. Subscribe now.