Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Maritz Holdings Inc. v. Cognizant Technology Solutions U.S. Corp.

United States District Court, E.D. Missouri, Eastern Division

December 19, 2019




         In 2016 and 2017, plaintiff Maritz Holdings was the victim of phishing cyberattacks which led to unknown perpetrators obtaining over $12 million dollars' worth of reward gift cards. An investigation into the 2017 cyberattack allegedly revealed a connection to account credentials that Maritz had issued to employees of its IT services provider, defendant Cognizant Technology Solutions U.S. Corporation. Maritz brings this suit alleging that Cognizant violated the federal and Missouri computer tampering statutes and breached its contract in a number of ways. Maritz also alleges tort claims of conversion, negligence and unjust enrichment.

         Cognizant moves to dismiss the complaint, arguing that Maritz has failed to allege that any Cognizant employee committed any of the cyberattacks and that Maritz cannot state claims against it under any of the theories set out in the complaint. I will grant the motion to dismiss as to the two statutory computer tampering claims and as to the conversion claim (Counts I, II and III). I also agree that Maritz cannot obtain the remedy of an accounting as part of its unjust enrichment claim, and so I will dismiss that claim for relief from Count VI. The motion is denied as to Maritz's remaining breach of contract, negligence, and unjust enrichment claims.

         Factual Background

         Maritz designs and operates customer rewards programs for corporate clients. In connection with these programs, Maritz purchases redeemable electronic gift cards and stores them in its internal computer system before issuing the gift cards to program participants. Maritz alleges its system was targeted in two successful cyberattacks in March 2016 and February 2017.

         In the March 2016 attack, an unidentified perpetrator directed three rounds of phishing emails to more than two hundred Maritz employees. The emails contained a corrupted file which, when loaded, installed a concealed “backdoor” in the target computer. The backdoor granted the perpetrator broad access to Maritz's internal computer system, allowing the perpetrator to download and redeem gift cards worth more than $11 million. Maritz's investigation into the 2016 attack could not determine the sources of the phishing emails and subsequent theft.

         The February 2017 cyberattack unfolded in similar fashion. As before, an unidentified perpetrator sent phishing emails to Maritz employees. The phishing emails contained a malicious link that installed concealed remote access tools in several Maritz computers, granting the perpetrator unfettered and undetected access to Maritz's internal computer system. Among other confidential information, the perpetrator harvested access credentials for Maritz' card fulfillment system, and allegedly stole an additional $1.2 million in unissued gift cards. Maritz again investigated the attack; unlike the first, this investigation revealed several links to Cognizant employees.

         Cognizant and Maritz had entered into an Offshore Contracting Master Services Agreement (the “MSA”) in 2010 to provide IT support and outsourcing services.[1] Cognizant employees were issued individual accounts with limited access to Maritz's computer system and databases. Maritz's investigation into the 2017 attack revealed the attackers were accessing the Maritz system using account credentials registered to Cognizant. The investigation also uncovered a third hacking attempt tied to a Cognizant account, and revealed that Cognizant employees had shared their account credentials in violation of Maritz company policy. Based on this information, Maritz concluded that Cognizant employees were responsible for the February 2017 phishing attack and gift card theft.

         Maritz's investigation additionally revealed that the same program was used by the perpetrator in both the 2017 and 2016 attacks, and that the 2017 attack showed similarities to the 2016 attack. Maritz ultimately concluded that the same Cognizant employees implicated in the February 2017 attack were also responsible for the larger March 2016 attack.

         Maritz thereafter filed this case against Cognizant alleging one violation of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, one violation of the Missouri Computer Tampering Statute (MCTS), Mo. Rev. Stat. § 569.095, and one count each of conversion, breach of contract, negligence, and unjust enrichment. Cognizant denies that its employees had any involvement in the attacks, and now moves to dismiss each count under Rule 12(b)(6), Fed. R. Civ. P.


         The purpose of a motion to dismiss under Rule 12(b)(6) of the Federal Rules of Civil Procedure is to test the legal sufficiency of the complaint. To survive a 12(b)(6) motion, a complaint must contain sufficient factual matter, accepted as true, to state a claim to relief “that is plausible on its face.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. Although a complaint need not contain “detailed factual allegations, ” it must allege facts with enough specificity “to raise a right to relief above the speculative level.” Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 555 (2007). “A well-pleaded complaint may proceed even if it strikes a savvy judge that actual proof of those facts is improbable, and ‘that a recovery is very remote and unlikely.'” Id. at 556 (internal citation omitted).

         Cognizant argues that Maritz has made no plausible allegations that would show that it or its employees were responsible for the cyberattacks. However, on this motion to dismiss, I must assume the truth of Maritz's factual allegation that “the attackers were accessing the Maritz system using accounts registered to Cognizant” in relation to the 2017 attack. This allegation gives rise to a reasonable inference that a Cognizant employee was responsible for the 2017 hacking. Further, based on Maritz's allegations that the second attacker had used the same program and “had run searches . . . for certain words and phrases connected to the Spring 2016 attack, ” a reasonable inference can be drawn that the same perpetrator committed the two attacks. ECF 1 at ¶ 42. Accordingly, because Maritz has plausibly alleged a Cognizant employee committed the 2017 gift card theft, and alleged facts from which a reasonable inference can be drawn that the same perpetrator committed the 2016 theft, I will deny Cognizant's motion to dismiss to the extent it challenges the facial plausibility of Maritz's allegations.

         Counts I, II, and III: Computer ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.