Whistleblower Claims Cybersecurity Company Generated Fake Data Breaches To Sell Protective Services
from the selling-you-fixes-you-don't-need-for-problems-you-don't-have dept
In a federal court this week, Richard Wallace, a former investigator at cybersecurity company Tiversa, said the company routinely engaged in fraud -- and mafia-style shakedowns.Tiversa would allegedly turn over "information" about these fake breaches to the FTC and push the agency to come down hard on the companies who refused to hire it. Once the FTC started asking questions, Tiversa would again approach these companies and ask them if they'd reconsidered the use of their services.
To scare potential clients, Tiversa would typically make up fake data breaches, Wallace said. Then it pressured firms to pay up.
"Hire us or face the music," Wallace said on Tuesday at a federal courtroom in Washington, D.C.. CNNMoney obtained1 a transcript of the hearing.
Wallace's testimony suggests Tiversa engaged in several unethical practices at the behest of CEO Bob Boback. One of the companies it targeted with its fake breaches was LabMD. After LabMD expressed reluctance to hire Tiversa, Bob Boback delivered a simple message to Wallace.
Q. Are you aware of whether or not LabMD agreed or refused to do business with Tiversa?The "list" was a compilation of prospective Tiversa customers, compiled with the assistance of investigators who had managed to secure personally identifiable information from companies' servers. This was the information that was threatened to be turned over to the FTC (or in some cases, was turned over before contacting the companies) if these companies refused to purchase Tiversa's services.
A. I think initially I don't think that there was a -- I don't think that they did not want to do business with Tiversa initially, and I think that as the communication advanced back and forth from Bob and different people with LabMD, I think that that's when they decided that they did not want to do business with Tiversa.
Q. Did Mr. Boback have a reaction to LabMD's decision not to do business with Tiversa?
Q. And what was that reaction?
A. Do I say it?
MS. BUCHANAN: Answer the question.
THE WITNESS: He basically said f--- him, make sure he's at the top of the list.
Q. Why does their name appear on the list?In order to make the breaches look legit, Tiversa's investigators would download sensitive files, move them to the company's servers and alter information to make it appear as though the files had been accessed or stored by a variety of IP addresses, including those of known/suspected identity thieves.
A. So that the FTC would contact them and notify them of a data breach and hopefully we would be able to sell our services to them.
Q. Did someone tell you to put their name on the list?
A. Our CEO, Bob Boback.
A. To use -- to be able to use any means necessary to let them know that an enforcement action is coming down the line and they need to hire us or face the music, so to speak.
Q. Did you, at the time this was created, have information on companies who fit the threshold but whose names do not appear on that list?
Q. Why does their name not appear on the list?
A. The list was scrubbed of all clients in the past and future clients that we felt that there might be, you know, the prospect of doing business with them. Their information was removed.
Q. Clients of Tiversa?
Q. Who made the decision to remove their names from the list?
A. Bob Boback.
THE WITNESS: Usually it would be after the fact, Bob would make contact with the company, without coming to me or coming to anyone else first, and say, you know, your file has spread to three additional IP addresses, it's in Europe and Nigeria and Poland and who knows. So then it would be up to me to make it appear that way in the data store so, if there was ever an audit or, you know, somebody was catching on, the data would be there if you -- Coveo is basically a front end for the data store. It's like a Google site, so you could type in there "insurance aging" and it's going to come up with a list of IP addresses along with the file, date and time.More on that tactic:
JUDGE CHAPPELL: If I understood you correctly, it was not true that the file was at this IP address.Wallace's testimony may be useful in placing Tiversa in the FTC's sights, something Darrell Issa brought to its attention last year. But it won't do much for LabMD, which appears to have been prosecuted out of existence based on Tiversa's phony claims.
THE WITNESS: That is correct.
JUDGE CHAPPELL: And if I were Company B in my earlier scenario, do I have any way to go to Apache Junction and see if they've downloaded my data?
THE WITNESS: We would see that in our -- in our real data store, we would show -- like, for example, with this one, this individual had over -- I was very familiar with this guy. He had over 3,000 tax returns, and he was zipping them up and selling them. Therefore, we knew that he was a bad actor, and it made it easy to put this file there, so to speak, even though he never had it physically on that computer, but we made it look -- appear like he did.
JUDGE CHAPPELL: All right. So if I follow you correctly, you never -- the file was never actually at Apache Junction.
THE WITNESS: No.
JUDGE CHAPPELL: But I, Company B, had no way of ever verifying that or knowing that.
THE WITNESS: Right.
Tiversa claims Wallace's testimony is nothing more than a fired employee being vindictive and cites its multiple awards from law enforcement agencies as evidence of its forthrightness and honesty. All well and good, but if law enforcement agencies have been subjected to the same tactics -- bogus problems and bogus fixes -- they might be handing out awards based on perceived effectiveness rather than Tiversa's actual cybersecurity skills.
The House Oversight Committee looked into Tiversa's allegations against LabMD last year and was none too impressed by the supposedly upstanding company's inability/unwillingness to turn over the information it requested.
The Committee has obtained documents and information indicating Tiversa failed to provide full and complete information about work it performed regarding the inadvertent leak of data on peer-to-peer computer networks. In fact, it appears that, in responding to an FTC subpoena issued on September 30, 2013, Tiversa withheld responsive information that contradicted other information it did provide about the source and spread of the data, a billing spreadsheet file.The letter details Tiversa's evasiveness in response to the HOC's requests, noting that while it did turn over nearly 8,700 pages in response to the subpoena, 8,500 of those were five identical copies of the 1,718-page LabMD insurance aging file at the center of the FTC's investigation, leaving only 79 pages of other materials, none of which substantiated Tiversa's claims.
Despite a broad subpoena request, Tiversa provided only summary information to the FTC about its knowledge of the source and spread of the file.
If the allegations are true, Tiversa is likely looking at altering its business model. Being just another name in the cybersecurity business means even less when that name is increasingly tied to fraudulent behavior.
1 Let's address CNN's claim about "obtaining" a transcript of the hearing. Like far too many press outlets, CNN seems to believe publicly-filed documents are trade secrets and refuses to provide download links or pointers as to where these might be obtained. In this case, it apparently obtained the transcript from former LabMD CEO Michael Daugherty's website. Or it may have had it sent to it by Daugherty himself. But either way, it did not "obtain" something no one else could have obtained, no matter how much its wording suggests some sort of exclusivity. And it could have done what Daugherty did: posted the transcript so readers could read it for themselves. But it didn't. TL;DR: CNN "obtained" this transcript in the non-exclusive way that you and I "obtain" air or any other non-rival good. (Yes, air becomes rivalrous in air-free environments, but non-pedantically, the comparison holds.)