"Mr. Morris has repeatedly threatened to sell the servers (including the data that he claims exists on the server) to a third party," states an affidavit from Elizabeth Kiss, chief compliance officer and privacy officer at the Canadian member firm of Ernst & Young, which was filed in July.
According to that affidavit, Morris approached a former Ernst & Young partner in June to tell him that a law firm, a data company and an M&A advisory firm were interested in acquiring the alleged Ernst & Young data, with bids for it supposedly reaching $1.2 million.
Morris says he's contacted some of the customers and "demonstrated to the customers what data I have." The court filings also indicate Morris has said he sold the second server he allegedly bought to a law firm, which would consider selling it, through him, to Ernst & Young for $320,000.
"Denying something doesn't change the facts," says Morris in e-mailed remarks. "I have the data and have provided proof and a full list of names." Morris is believed to have stored copies of the sensitive data on a number of devices he has.
At this point, an order from a Calgary court requires Morris to provide Ernst & Young's legal counsel with copies of the alleged data and the primary server's serial number by Sept. 15. By Sept. 30, he's supposed to give inspectors from Ernst & Young, such as computer forensics specialists, access to the servers and devices that Morris controls that might have any Ernst & Young data stored on it.
Today, Morris said in a phone call he does intend to comply with the order, and he expects the meeting with Ernst & Young to take place in a warehouse he has. Morris says he anticipates Ernst & Young to start going through the data he has and deleting any associated with Ernst & Young, which he says is quite a lot. His time is worth money, says Morris, and he claims Ernst & Young has agreed via an e-mail exchange to pay him $1,500 per day to cooperate with the data inspection. Morris says he does about $300,000 annually in used computer equipment sales.
For Ernst & Young, there's the gnawing possibility that Morris isn't bluffing.
"They say if the data exists on the server, then it was by mistake," says Morris, who contends what he has includes a lot of sensitive financial information on businesses that all adds up to a significant data breach. Whether that's true or not could become clear in a matter of weeks.
Sign up for CIO Asia eNewsletters.