A small medical testing company in Atlanta is out of business, and the owner is blaming cybersecurity firm Tiversa. He's accusing the company of some seriously shady business tactics, and now there's a Tiversa whistleblower backing up his claims.
In 2008, Tiversa notified LabMD CEO, Michael Daugherty, that his company had a security leak that exposed a data file with more than 9,000 patients on a peer-to-peer network. The problem stemmed from a LabMD employee who installed Limewire file sharing software on his work computer. Tiversa's CEO, Robert Boback, offered to investigate the breach if LabMD hired Tiversa.
Daugherty saw the same conversation as veiled extortion. He believes Tiversa inflated the threat to sell LabMD on the firm’s services, and began retaliating when the medical testing company didn’t bite. Unsure of which employee was using the service, LabMD had trouble getting the file off the network, and Tiversa wasn’t shy about reminding them how serious the issue was.
Ultimatly, LabMD chose not to hire Tiversa. The cybersecurity firm then reported the security violation to the Federal Trade Commission as a potential risk to LabMD customers and violation of state data breach laws. The resulting FTC complaint essentially ended LabMD, though Daugherty is still fighting with the FTC in the courts.
Daugherty believes Tiversa overstated the security leak in retaliation because LabMD did not hire the security firm. And, he might be right. Former Tiversa employee and current whistleblower Richard Wallace testified that Tiversa allegedly falsified information in the LabMD case.
He says that in 2013, long after the FTC complaint was filed, he was asked to log a new set of IP addresses where the file had been detected, increasing the imaginary range of the breach. It’s unclear how that data was meant to be used, although the company was engaged in an ongoing defamation suit with Daugherty at the time. Still, according to Wallace, the data had only ever actually been in two places: LabMD’s computers and Tiversa’s. "The originating source in Atlanta is the only source that it’s ever been seen at," Wallace testified.
That means LabMD may not have even had a data breach in the first place. Its systems were definitely at risk because of the employee's Limewire installation, but Wallace's allegations cast some doubt as to whether or not anyone but LabMD and Tiversa actually downloaded secure files.
The LabMD situation is just the tip of the iceberg for Tiversa. Wallace also testified that the company used similar tactics in 2008 to "prove" that a contractor's early plans for the president's Marine One helicopter had been accessed by an Iranian IP address.
A new report, commissioned by House Oversight Committee chairman Darrell Issa, goes even further. The report accuses Tiversa of a "scheme to defraud the congress and executive agencies" by providing false information in a number of cases, including a Chicago AIDS clinic that shut down under circumstances similar to LabMD. The report also alleges that Tiversa also failed to comply with a number of subpoenas and created "a culture of intimidation," adding credence to Wallace's testimony.
If the allegations are true, Tiversa is in serious trouble. Cybersecurity firms should be helping companies secure their networks, not inventing breaches to drum up business.