Cyber security firm says ‘hire us or else’ to clients….

keyboard hands image

A cyber security firm allegedly used its relationship with a regulator to tell prospective clients they needed to hire them “or face the music”. Photo: Damian Dovarganes

A former employee of a cyber security firm says he lied about a data breach that ultimately cost a company its life.

Companies that experience a data breach can face hefty costs, from loss of reputation to regulatory action, higher insurance bills and civil lawsuits. The other hidden cost comes from security firms promising to mop up the mess.

Richard Wallace, a former investigator at security firm Tiversa​, told a federal court in the United States last week the company “doctored up” data breach information and used its relationship with a regulator to tell prospective customers “they need to hire us or face the music”.

Wallace testified in a case brought by the Federal Trade Commission against LabMD, a now defunct cancer-testing centre, which is facing charges that lax security led to the exposure of 10,000 records on a file-sharing network.

Tiversa’s technology scours file-sharing networks for evidence of leaked private information. It supplies that to customers in financial services, health and other sectors.

However, Wallace said Tiversa also gave “lists” to the FTC that were “scrubbed” of paying clients, which the regulator could then use to pursue enforcement action.

He also claimed the firm manipulated breach information to “make it look like data had spread to multiple places”.

Fairfax has seen a transcript of Wallace’s testimony, which calls into question an industry that promises to shield companies from security threats but also outlines incentives to deceive them.

“I have never before heard of such an unethical company that would actually shakedown another using cyber threats,” Ty Miller, chief executive officer of Australian security firm Threat Intelligence, told Fairfax.

“The only technique that appears to be generally accepted is when a security breach has already occurred and the victims of the attack are approached to inform them.”

But offering services under those circumstances is “questionable”, said Miller. “It still raises suspicion as to whether the security company performed the initial breach.”

LabMD’s chief executive officer Michael Daugherty​ told CNNMoney that the FTC’s lawsuit killed the business.

Daugherty hasn’t responded to questions by Fairfax, but he recently testified that the FTC used “extortionate” tactics to force a settlement that would have placed LabMD in a “hall of shame” that would doom the business.

Tiversa’s chief executive officer, Robert Boback, has a different take, telling Fairfax that Wallace embellished claims that it exaggerated breach information. He said Tiversa was compelled by the FTC to provide the lists and that its reports had nothing to do with LabMD’s demise.

“LabMD lost its business because of LabMD, and no one else. Every other company in the list that we were required to provide to the FTC is still in operation with no problems. That’s 83 of 84 companies.”

“Also, contrary to Wallace’s testimony, several companies on the list were in fact our customers. That demonstrable fact completely destroys LabMD’s and Wallace’s suggestion that we put companies on the list for not paying,” said Boback.


Henry Sapiecha

Leave a Reply

Your email address will not be published. Required fields are marked *