In a rather bizarre turn of events, one cybersecurity company has been accused of falsifying data breaches and even hacking into companies to gain potential clients and extort money from smaller and larger organizations.
Richard Wallace, a former investigator of the accused firm, Tiversa, said in federal court last week that the company would routinely engage in fraud and “mafia-style shakedowns” against companies.
To extort potential customers, Tiversa would typically falsify and stage data breaches, Wallace said under oath. Then pressure the firms to pay up, with a sinister downside.
“Hire us or face the music,” Wallace said to the judge Tuesday, in the federal courtroom holding in Washington D.C. Wallace said if victims chose not to hire the firm, Tiversa would essentially ruin the company in the public eye, claiming they would tip off the government that the company had suffered a breach if they did not pay up.
Citing one case in 2012, Tiversa ripped off LabMD, an independent cancer research facility based out of Atlanta. The firm allegedly hacked into LabMD’s computers, stealing a swath of medical records illegally.
Yes, the firm allegedly hacked into potential clients and falsified data breaches to gain new customers.
To make initial contact, Tiversa alerted LabMD their center had been hacked, offering up its emergency incident response services. After the lab refused to pay, Tiversa threatened to tip off federal officials of an alleged “data breach.”
When LabMD again refused to pay Tiversa’s extortion fee, the firm informed the Federal Trade Commission (FTC) the company had suffered a critical medical record breach.
Following the firms tip, the FTC filed a lengthy and vigorous suit with LabMD, giving the company one of two options: sign a consent decree (a plea designed to require companies to undergo years of auditing and make a public statement) or take it to court. Michael Daugherty, the CEO of LabMD, took them to court, as a plea would have essentially destroyed his reputation and business.
In a sad turn of events, Daugherty lost the battle in 2014, leading to end LabMD, shutting their doors to some 40 employees the company once had.
“The fight with the government was psychological warfare,” Daugherty said speaking with CNNMoney. “There was reputation assassination. There was intimidation. We thought we were extorted. My staff and management team was demoralized. My VP left. My lawyer left.”
After loosing his business and reputation, Daugherty launched his own website and wrote a book on the happenings. Which later led to government watchdog group Cause of Action reaching out, and picking up Daugherty’s case.
LabMD was not the first client Tiversa had staged hacks to make national news, Wallace said. He claimed Tiversa made up a barrage of claims, citing one incident in 2009 when the firm claimed Iran had allegedly stolen blueprints for President Obama’s helicopter, instantly spawning hundreds of news stories throughout countless media outlets.
To successfully pull off the rigged attacks, Wallace claims Tiversa would often research IP addresses known for malicious activity, and abuse them to formulate attacks. The firm, which works closely with law enforcement and federal sectors of the government would often search malicious IP addresses that had been abused by known criminals, and would claim a list of IP addresses associated with criminals had stolen the critical information and shared it online. Wallace said the aim was to frighten companies and add a “wow factor.”
“So, to boil this down, you would make the data breach appear to be much worse than it actually had been?” FTC Administrative Jude Michael Chappell asked Wallace in the courtroom.
“That’s correct,” Wallace responded.
Following Wallace’s claims, Tiversa denied all allegations, telling reporters the recent revelations were “baseless” and came from a disgruntled employee who had been fired.
“This is an overblown case of a terminated employee seeking revenge,” Tiversa CEO, Bob Boback said outside the court room. “Tiversa has received multiple awards from law enforcement for our continued efforts to help support them in cyber activities.”
Tiversa is a smaller cybersecurity consulting firm based out of Pittsburgh, Illinois. The company’s board members include several highly-skilled and professional experts including four star Army generals and founders of pro-privacy institutions.
If Wallace’s allegations turn out true, this could mean a different fate for Daugherty and his small 40 employee company Tiversa abused and shutdown.