Daniel Gericke, who works as CIO of ExpressVPN, has been named as one of the three former US intelligence and military personnel fined more than US$1.6 million by the US Department of Justice for hacking undertaken on behalf of the government of the United Arab Emirates.
In a move that will be somewhat embarrassing to ExpressVPN in the same week as their sale to Kape Technologies, it was revealed that Gericke previously worked as a mercenary hacker helping the UAE to spy on its enemies.
What did Gericke do?
According to Reuters, Gericke was part of what was known as Project Raven, which worked at the behest of the monarchy of the UAE to hack into the accounts of various individuals and groups opposed to the UAE regime, including human rights activists, journalists and rival governments.
Gericke, along with his co-defendants has accepted this and agreed to cooperate with the US authorities. He has accepted the fine in exchange for deferred prosecution. This means that he will not be facing any criminal convictions.
But on top of the hefty fine, Gericke will have to forfeit his foreign and US security clearances and he will also face future employment restrictions.
Commenting on the case, Acting Assistant Attorney General Mark J. Lesko for the Justice Department's National Security Division said in a statement, “Hackers-for-hire and those who otherwise support such activities in violation of U.S. law should fully expect to be prosecuted for their criminal conduct.”
The case couldn't have come to light at a worse time for ExpressVPN as they are currently finalising the details of their acquisition by Kape Technologies, as we reported earlier in the week.
The last thing that they will want at the moment is to see their Chief Information Officer being described in a court of law as a “hacker for hire”.
But nevertheless, they have released a statement supporting Gericke and claiming they were fully aware of his past.
They said, “We've known the key facts relating to Daniel's employment history since before we hired him, as he disclosed them proactively and transparently with us from the start. In fact, it was his history and expertise that made him an invaluable hire for our mission to protect users' privacy and security.”
The argument is seemingly that because Gericke has a background as a hacker, he knows the tools and technologies they use and is therefore well placed to lead defending against them.
They are adamant that Gericke retains their complete trust and insist that they are confident in Daniel's “desire and ability to contribute to our mission of enabling users to better protect their privacy and security.”
Should users be worried?
Some ExpressVPN might question whether trust is sufficient for a convicted hacker to be in the role of CIO of such a high-profile online security and privacy company.
ExpressVPN seemed to acknowledge this in the final paragraph of their statement. They reassure users that they have “robust systems and security controls in place in all our systems or products” and also flagged the various independent third-party audits they have submitted themselves to.
It seems unlikely that Gericke does pose a threat to the security of ExpressVPN users. Many may even be reassured that he is clearly far removed from the US authorities.
But these are definitely headlines that ExpressVPN could have done without, on this week of all weeks.