Cybersecurity Company Extorted Its Clients, Says Whistleblower

An anonymous reader writes: Richard Wallace used to be an investigator for Tiversa, a cybersecurity company that sells services like "breach protection" and "incident response." These days, Wallace is testifying in federal court that Tiversa faked breaches to encourage sales, and extorted clients that weren't interested. For example, Wallace said Tiversa targeted a cancer testing center called LabMD in 2010, tapping into their computers and downloading medical records. Tiversa then used those records as evidence to convince LabMD they had been hacked, offering its "incident response" service at the same time. LabMD didn't fall for it, so Tiversa told the FTC about the "hack." The FTC, none-the-wiser, went after LabMD in court, eventually destroying the business. Wallace has also cast suspicion on reports Tiversa has issued, including one saying President Obama's helicopter blueprints were found on Iranian computers.

The FTC report

[YrWrstNtmr]

Details here: https://www.ftc.gov/enforcemen...

That's some messed up stuff. Tiversa needs to be burned to the ground, and their board members in actual jail.

Re:The FTC report

[YrWrstNtmr]

However, the plot thickens:
From the Motion to Dismiss: https://www.ftc.gov/system/fil...
(in part)"In 2008, Lime Wire was found on a LabMD workstation at Internet Protocol address 64.190.82.42 in Atlanta, Georgia. Lime Wire was installed by a LabMD employee, without authorization and in violation of company policy."

"On May 13, 2008, Tiversa contacted Lab MD, advised that Tiversa had downloaded LabMD's file, but refused to provide any additional information unless LabMD paid Tiversa for "remediation." Over the next two months, Tiversa sent six more sales-pitch emails to LabM0. LabMD, however, declined Tiversa's shakedown."

Re:The FTC report

[YrWrstNtmr]

Copyright infringement has nothing to do with it.
If that workstation and user has access to patient data, and that patient data is/was exposed via a P2P application...then yes, maybe they do need to be burned to the ground as well as the asshat 'security company'.

Re:Tiversa breached systems?

[Capt.Albatross]

So Tiversa breached systems to get data from them to show the system owner that they needed their services?

But if Tiversa did breach those systems, then they did need Tiversa's services didn't they?

Yet the linked-to article says "If Wallace is telling the truth, the FTC aggressively prosecuted a company based on bogus evidence."

The only way I can see the evidence being bogus is if Wallace exploited a position of trust granted to him by the target company, and not even necessarily then. Whatever the truth is, the report is not self-consistent. Apparently, rational analysis and critical thinking are not employed at CNN - but we suspected that, anyway.

Re:Tiversa breached systems?

[gstoddart]

But, honestly though ... if a corporation is charged in federal court, will they pay a fine, or will someone do jail time?

Because if the corporation will pay a fine, but a person would get jail time ... that's pretty much what a double standard means.

So before you go all full-metal asshole on the poor guy, ask yourself, has anybody from a corporation who does this kind of crap gone to jail?

If doing something on behalf of a corporation means you don't go to jail, there more assuredly is a double standard.

Re:Tiversa breached systems?

[radarskiy]

Tiversa's claim to LabMD was not that LabMD had vulnerabilities, but that LabMD had been breached. Tiversa then claimed to the FTC that LabMD had failed to disclose a breach but did not disclose that the breach was by Tiversa themselves.

LabMD may have needed the services of a security consulting company. No one needs the services of a lying security consulting company.