Blog Post

The Mysterious Hacking Charges Against Groupon

Major news outlets this week reported that merchants filed a lawsuit against Groupon (NSDQ: GRPN) for tampering with electronic contracts. The accusations are so serious that they could spell major trouble for Groupon — or for the people who are suing it.

The case turns on the contracts that Groupon signs with merchants who offer daily deals to customers. One merchant, a home renovations contractor, is accusing Groupon of adding new terms to the contract about when a businesses must redeem expired offers. The contractor, named BidMyCrib, signed the agreement in October by replying to an email and adding the word “Agree.”

What is remarkable about the accusation is not that Groupon changed the contract (companies sue over these things all the time) but the way that it changed it. Specifically, the complaint states the daily deal giant “intentionally accessed and altered” email accounts in order to fiddle with the digital version of the contract.

As proof, BidMyCrib’s owner claims to possess a print-out of the original email contract that is different from the one that now appears when he now opens his email. He says the email now contains an extra paragraph that wasn’t there before.

The owner, Morgan Jones, says Groupon should compensate him for breaching his privacy under a federal law concerning “Unlawful Access to Stored Communications.” What’s more, his lawsuit is a class action which means he wants to represent many other businesses who also suffered the same injury.

The accusations are simply astounding. If true, they would mean that Groupon engaged in a systematic hacking campaign for little gain (the contract change is fairly inconsequential). Moreover, its behavior would be considered not just shady business but a federal crime. If the accusations are untrue, Groupon could be in a position to sue for defamation.

So what’s going on? It seems that either Groupon is on a federal crime spree or BidMyCrib has some other agenda in making the accusations that have already been widely reported by Bloomberg and other major media outlets.

Adam Levitt of Chicago is one of the lawyers representing Ohio-based BidMyCrib. When asked for details about the alleged hacking, he would only say “the complaint speaks for itself.” A Groupon spokesperson stated, “We don’t comment on pending litigation and will speak through our court filings.”

There is little information online about BidMyCrib except for its website and a handful of reviews that accuse it of dishonest practices. Jones, the owner, did not reply to calls seeking comment. Yesterday afternoon, however, paidContent received an email tip that asked if we “chaps” were covering the hacking allegations. The correspondent said Groupon could have used various technological measures to change the merchants’ emails without logging into their account.

The message, which is jargon-heavy and appears to be written by someone whose first language is not English, is reproduced below as is the complaint. If any of our more tech-savvy readers have any insights, please send me a message or post your thoughts in the comments to help clear up this mystery.

From the tipster:

Are you chaps covering the current Groupon lawsuit involving email tampering? After reading complaint off the PACER system in USA I believe the Defendant may have used JAVA, or software update during an “request to update” via another email the receive after the receive the original email, or dynamic email containing a master file on their network to push changes to email accounts for specific emails containing contracts. This can be done. If Defendant wanted to secretly change terms of contract they can use one of the 3 methods listed above (other ways too) to modify contract terms remotely on emails in the Inbox of anyone who received the original email, and do it without anyone knowing it. I don’t think Plaintiff is stating Defendant had to personally login to Plaintiff’s email account and make changes. I get Defendant’s emails daily…these emails are dynamic and contain technology to allow changes after the fact.

Groupon Merchant class action
var docstoc_docid=”107783220″;var docstoc_title=”Groupon Merchant class action”;var docstoc_urltitle=”Groupon Merchant class action”;

7 Responses to “The Mysterious Hacking Charges Against Groupon”

  1. Live email content is a possibility, as LA points out. Additionally, from llooking at the actual court filing its pretty clear that the ‘contract’ is just within the email itself (as opposed to an attached document).

    Any email can be changed on disk. I run several mail servers, and editing any read message is as easy as ‘vi /home/username/mail/emailaddress/cur/’ . If I can gain access to a mail server, either as ‘root’ user or the username of the mail folder, I can easily change the content of a particular email after it has been read. That is nothing new, but it would be highly surprising to see a large company doing that, hence I really do wonder if, like LA proposes, the email contains ‘live’ elements.

    It would be interesting to see how an email with live elements could be accepted as a contract. To give an analogy, imagine you sign a 7 page contract. Pages 1 through 6 contain the contract wording and page 7 is a blank page for signatures. You and the other party then sign page 7 and they only give you a a copy of page 7. Then the other party replaces pages 1 through 6 with something different and claim it was the same all along.

  2. Gimme a Break

    sorry.  i was grasping for straws.  pitiful and unprofessional.  legal complaint listed here uses upper case when mentioning defendant and plaintiff.  i’m such a shit head.  anyone available for bourbon shots?

  3. Gimme a Break

    Anyone can tell that you’re the same idiot that sent the tip, stop trying to act like you’re a different person. Not that your information is incorrect, but seriously, stop insulting our intelligence. I think you’re  from the plaintiff’s company, trying to both defend and get press for yourself. So transparent. From the fake foreign accent in the “tipster” post, to your fake “Oh I’m just a regular person” comment above, lol. The fact that both you and the “tipster” capitalize “plaintiff” and “defendant” is such a great tell. Learn proper grammar. Neither of those words are to be capitalized. I can’t imagine two separate people and the only two people whose text appears on this page, out of the billions that use the internet, are making the same hideous grammar mistake.

    • Yeah, not many people try to defend anonymous company whose name they probably hear for the first time. This person’s camouflage is very lame and because he/she is very stupid too, I suspect he and his company are going to get played by Groupon big time. Not that I’m Groupon’s biggest fan.

  4. I am an email/collaboration expert with Symantec (Enterprise Vault business line).  Your alleged tipster is correct on the email changing strategies & technology.  Most people don’t know emails can be changed after a person receives it.  They most surely can be remotely & secretly changed after it arrives in the recipient’s inbox, and at a later date.  Defendant’s motive could have been to cover their tracks with Plaintiff’s contract specifically, or all merchant contracts they agreed to via the email versions, as a result of a conflict that arose and Defendant wanted to cover their ass, and/or reduce exposure to future risk. 

    Defendant sends out tens of millions of emails each day worldwide; nobody can be completely clean 100% of the time.  Obviously, Defendant doesn’t oversee their employees very well, or there wouldn’t be so many lawsuits against them.  Defendant’s own employees are suing them.  However, I don’t think Defendant as a company would have done or mandated this; rogue employees of the Defendant would have though.  Defendant is responsible for their employees actions if they are acting on the company’s behalf.  Plaintiff can easily find existing or former employees of Defendant to see if this was standard practice, or not.  I bet they can!

    By the way.  I checked the Plaintiff (BidMyCrib.com) using Google.  They have many good reviews, and an “A” rating with the Better Business Bureau.  Since 2007 Plaintiff has only had 4 complaints.  All 4 complaints appear to have occurred after their relationship with Defendant, so maybe there is a lot more to this story than what you’re reporting.  I also checked to see if they have had any type of lawsuits against them; I found no lawsuits against Plaintiff (BidMyCrib LLC or BidMyCrib.com). 

    Why didn’t you mention the good reviews, too?  For me to become a loyal follower of your website and your articles you need to provide fair and balanced reporting.  You appear to be biased.  Does Groupon and others pay you?

    • Jeff Roberts

      Fair: I’m aware of technologies that provide notice when an email is read, prevent forwarding and so on, so I will take your word that an email can be altered after it is sent.

      But there is still the larger question of whether Groupon would actually do this. It seems like a pretty big risk for a major company to undertake for relatively little gain. As for the rogue employee theory, this also seems unlikely because it is hard to imagine the average sales person having both advanced computing skills and the familiarity with legalese to draft a paragraph of boilerplate. (And, again, any prospective gain from doing so doesn’t seem to merit the risk and effort).

      As for whether I’m paid by Groupon, take a look previous reporting on the company and decide for yourself (it might be helpful to know, for instance, that I broke the story about the employee class action).