On Monday we shared the story of Express Scripts suing Ernst & Young and one of its former partners, Donald Gravlin, of stealing a bunch of proprietary information from the company's headquarters in St. Louis. The suit went so far to say that the firm and Gravlin had an "evil motive" and "engaged in unlawful and malicious competitive intelligence gathering," but the Bloomberg story didn't have the kinds of details that would lead you to believe that Gravlin was some Double-O under the watchful eye of an E&Y-6 organization.
A new report from the St. Louis Post-Dispatch, however, adds quite a few details to the story, although it doesn't necessarily clarify anything, in fact it's more complex than before.
For starters, the suit makes it sound like Gravlin was employing more sophisticated measures than we suspected:
Gravlin emailed the sensitive data to himself by sending it to “at least five different email addresses,” the suit alleges, and tried to “destroy evidence of his theft” by altering and deleting data on Express Scripts’ computers and email servers.According to the complaint, the case broke on Aug. 29, 2012, when Express Scripts’ security team identified “a number of suspicious emails containing confidential and proprietary information and documents” that had been sent from an Ernst & Young tax consultant’s computer at the Express Scripts headquarters to an odd-sounding personal email account at Google: gmale66666@gmail.com.An internal probe revealed that those emails were sent by Gravlin, who had used Ernst & Young tax consultant Michelle Borman’s user name and password, which she shared with other Ernst & Young employees, the complaint alleges. Borman, who works at the accounting firm’s offices in Chicago, has not been named as a defendant.
Secondly, the Post-Dispatch makes Express Scripts sound like Fort Knox:
Express Scripts is considered such a tightly managed company. Its gleaming headquarters on the campus of the University of Missouri-St. Louis is a virtual fortress.
That's all well and good, but all mega-corporations have tight security and their contractors — accountants, consultants, external counsel — who regularly work at the location and would have access to the grounds and security would never consider it unusual for any of those people to be working at odd hours. If Gravlin was a regular at Express Scripts, he could likely come and go as he pleased.
BUT! The suit makes it sound as though he was going out of his way to conceal his comings and goings:
“Since at least March 2012, Gravlin had been sneaking into Express Scripts’ facilities with false credentials and using several E&Y employees’ computer security credentials — with E&Y’s knowledge and consent — to access and steal the companies’ confidential and trade secret information,” the suit alleges.
Okay, "false credentials"? and — hold the phone — "with E&Y's knowledge and consent"? You mean Jim Turley was watching live from a situation room while stroking a longhaired feline while watching from a situation room?
Not exactly.
The lawsuit contends that Tom Thelen, the Ernst & Young partner overseeing the accounting firm’s contract with Express Scripts, has acknowledged that “he knew that Gravlin had taken the companyies’ [sic] information before Express Scripts’ personnel discovered it, but failed to notify anyone at Express Scripts.”
The Post-Dispatch story doesn't dig into Thelen's role, but like Ms. Borman, he is not listed as a defendant. E&Y is maintaining their innocence and reiterated for this story that Gravlin was no longer with the firm.
Got all that? We'll update as we learn more.
Tech guru is a rising star, but did he step over the line? [SLPD]
Supposedly the picture at right was from last night’s 
