A cybersecurity expert could face a 20-year prison sentence after being accused of allegedly trying to extort a multinational IT infrastructure services biz out of $1.5 million.
Vincent Cannady, 57, was arrested in El Dorado Springs, Missouri, this week after a drawn-out attempt to obtain what he described as a “settlement” after being fired from his IT consultancy job in June 2023.
Between May 2022 and June 2023, Cannady was assigned to the unnamed, New York-based IT services company and his main responsibilities included identifying security vulnerabilities that could lead to the theft of company data. This role afforded Cannady deep access to the company’s IT estate and stored data.
According to the complaint, Cannady was fired by his consultancy employer for sub-par work performance. He was offered two weeks’ pay as a severance package and ordered to return all devices and data belonging to the company.
Three days after being fired, says the filing, Cannady is alleged ot have used a laptop issued by the company he was assigned to for a year to access and download a slew of confidential intellectual property to his personal cloud storage account.
These files are said to have included architectural maps of the company’s servers, trade secrets, lists and reports of potential vulnerabilities, and details about specific company devices that are vulnerable to attack, mentioning vulnerabilities that weren’t yet remediated.
Around two weeks later, his former employer, the consultancy business, emailed asking for an exit interview. This was after the extorted company detected the unlawful download of its proprietary data.
This is where the complaint alleges Cannady began a protracted attempt to secure a “settlement.” He is said to have alleged that his firing followed “disparate and discriminatory treatment” and that he would not be able to engage with his former employer for at least a month due to health issues.
Another two weeks went by, and the consultancy appeared to be getting antsy, per the timeline in the criminal complaint [PDF]. The business alleged it wanted assurances that the stolen data would be deleted and requested a medical note to explain the health issue.
The consultancy’s general counsel then requested a supervised deletion of the files by no later than July 24, 2023, which Cannady allegedly declined, copying two reporters into the email chain.
According to the complaint, he said: “[Y]our threats of Legal Action is not sufficient to make me delete those files” and “I am allowed to kept these files in my defense or use them to file an affirmative complaint with any Court of Subject Matter Jurisdiction.”
Cannady allegedly went on to say he would be willing to settle the matter in exchange for a sum equivalent to five years’ salary, “otherwise we will let the courts decide.”
These demands fell on deaf ears, alleges the filing, whcih goes on to claim Cannady upped the stakes. In another email, copying in more journalists, he is alleged to have reiterated his demand for five years’ salary from his former employer, and to have demanded an additional ten years’ salary from the extorted company “under intentional infliction of emotional distress law,” the complaint says.
It adds that he went on to say: “I worked very hard for you and you should have not colluded to fire me after all the hard work I did for [extorted company] and lying and saying my work was substand is the main reason I am going to sue all of you.”
After threatening legal action and publication of the stolen data, the extorted company secured a temporary restraining order against Cannady to prevent the files’ exposure.
While the company is never named in the criminal complaint, court records show New York-based Kyndryl filed a temporary restraining order on September 1, 2023, against a man named Vincent Cannady that aligned with the timeline detailed in the complaint. We asked the company about the connection but it didn’t immediately reply.
This is when the complaint alleges Cannady explicitly asked for $1.5 million in exchange for the total deletion of the files and signing a non-disclosure agreement to ensure the matter was never publicized.
The complaint says the extorted company asked for assurances that the data would never be shared in the future, and claims the contractor said: “I am not a fool why would I destroy my only leverage without a monetary agreement, adding:
Over the next few weeks, Cannady allegedly went on to threaten to leak the data to major broadcasters, the complaint claimed he seemed certain he could secure employment based on the interest his stories would generate.
He is also accused of floating the idea of securing a book deal to publicize the stolen data, and other means to bring reputational and economic harm to the company, all in the pursuit of securing an extortion payment.
Cannady is alleged to have additionally sought protection from criminal prosecution, demanding that any agreement include a clause that would prevent the company from pursuing criminal charges against him in the future.
The extorted company claimed it did eventually send Cannady a draft settlement agreement, but it didn’t include a provision that would prevent it from pursuing criminal action against him. It wasn’t accepted and negotiations essentially broke down from then.
Cannady has been charged with Hobbs Act extortion, which carries a maximum prison sentence of 20 years.
US attorney Damian Williams said: “As alleged, Vincent Cannady used illegal and extortionate threats for the purpose of obtaining over a million dollars in payments from a public company after his engagement was terminated. When those entrusted with sensitive information steal that information on their way out the door, only to extort money with a threat of releasing that information, my office will hold them responsible for their conduct.” ®