Artificial intelligence startup Clarifai failed to report that it had been hacked by Russian operatives while it was working on the Defense Department's Maven project, according to a lawsuit filed by former Clarifai employee and Air Force Capt. Amy Liu.
Liu said that when she asked the company to report the incident, she was fired, according to a report by Wired. Clarifai had reportedly snagged the six-month, $7 million Maven contract from the Pentagon to analyze drone footage, along with Google who were working under a separate contract.
Wired obtained an incident report saying the company's code and customer data could have fallen prey to malware from Russia in November 2017.
Clarifai disputed a number of allegations in the Wired report in a blog post penned by company Founder and CEO Matthew Zeiler explaining why Clarifai became part of the Maven project and in a statement sent to SC Media. “First and foremost, the security incident as described in the article was inaccurate and does not reflect what occurred,” a spokesperson said in a statement. “Last fall, an untargeted bot was identified on an isolated research server which is not the infrastructure on which Clarifai customers run. We quickly contained the situation and determined the bot did not access any data, algorithms or code.”
The spokesperson said the company “voluntarily notified customers following a full assessment, including an external audit and report by a security firm.
Zeiler wrote that the company has “been transparent and accommodating with employees on the project,” which “was broadly disclosed to the company as a government initiative upon finalization of the initial contract.”
He said that all team members working on Maven were “informed of the nature of the work and every employee at Clarifai has signed an NDA” with two employees being reassigned to other projects after then decided to opt out. “An important part of our culture is having employees who are actively engaged in the work that we do,” Zeiler wrote. “We make sure they understand the projects they are asked to work on and regularly accommodate employee requests to switch or work on particular projects of interest.”
But the incident speaks to a larger problem for organizations dealing with third parties, said Fred Kneip, CEO at CyberGRX. “The Clarifai breach demonstrates an issue that has become a problem for large enterprises managing third-party risk. When a company has thousands of third parties in their digital ecosystem, there will invariably be differences in the level or risk each of those third parties introduce,” he said. “That's why assessments that measure the maturity of security controls and procedures, which cast light on how a third party will manage a breach, are so important. Organizations need to understand not only which third parties are most likely to be breached, but which have the processes in place to handle a breach effectively.”
Recently it was reported that hackers from the Chinese Ministry of State Security who broke into the systems of a contractor working for the U.S. Naval Undersea Warfare Center stole 614GB of sensitive information, including plans for a supersonic anti-ship missile to be launched from a submarine.