Baidu hacking lawsuit allowed to proceed

U.S. district judge says China's leading Internet search company has a "plausible" case related to a hacking that disabled the company's site for hours.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read

Baidu, China's leading Internet search company, has a "plausible" case against its U.S.-based domain registry for allegedly allowing a hacking attack that left the site disabled and defaced, a U.S. judge ruled Thursday.

The order, signed by Judge Denny Chin of the U.S. District Court for Southern New York, allows Baidu to proceed with a lawsuit it filed against Register.com in January. Baidu's suit accuses Register.com of breach of contract, gross negligence, and recklessness related to a January 11 hack attack that left Baidu disabled for several hours. Visitors to the site during those hours were redirected to a site where a group calling itself the "Iranian Cyber Army" claimed responsibility for the attack.

"I hold that Baidu has alleged sufficient facts in its complaint to give rise to a plausible claim of gross negligence or recklessness," Chin said in his ruling. "If these allegations are proven, then Register failed to follow its own security protocols and essentially handed over control of Baidu's account to an unauthorized intruder, who engaged in cyber vandalism."

However, Register.com did score a partial victory when Chin dismissed five of Baidu's seven claims against the domain registry, including contributing to trademark infringement and aiding trespass. Register.com still faces breach of contract and negligence charges.

Hackers seized control of Baidu's Register.com account by persuading a customer service representative to change its listed e-mail address, even though the intruder failed to correctly answer a security question, Baidu alleges in its lawsuit. The hacker then requested that the user name be sent to the new e-mail address, allowing the intruder to change the password and re-route traffic to the bogus site, Baidu alleges.

"If Register had simply followed its own security protocols, the attack surely would have been averted and neither Register nor Baidu would have been victimized," Chin wrote in his opinion.

Baidu says the incident cost it millions of dollars.

Register.com representatives did not immediately respond to a request for comment.

The "Iranian Cyber Army" that claimed responsibility for the attack had taken credit for a similar attack on Twitter in December.

Baidu said that its Chinese site--Baidu.com.cn--was unaffected by the outage. Baidu is the third largest search engine in the world, controling about 70 percent of the Chinese search market, compared with Google's 27.3 percent, according to online market research firm iResearch.