Breach, Data Security

Former Tiversa investigator says firm faked LabMD breach findings

What started as LabMD questioning the authority of the Federal Trade Commission (FTC) and Rep. Darrell Issa, R-Calif., saying that security company Tiversa deliberately manipulated information to provoke FTC action against the cancer testing center, has now erupted in accusations from a former Tiversa employee that the company routinely faked data breaches to solicit other companies to pay for its services.

For years, LabMD has been locked in a court battle over an FTC claim, and likely enforcement action, that eventually caused the Atlanta-based company to shutter its operations.

In 2009, the FTC began investigating the breach of about 9,000 LabMD customers, where names, Social Security numbers, dates of birth and personal health insurance information were allegedly exposed on publicly accessible peer-to-peer (P2P) file-sharing networks.

Despite push back from LabMD, the FTC filed a complaint against the company in late October of 2013. Additionally, a court ordered on March 10, 2014, that the company could not inquire into FTC's legal standards, used in the past, or currently, for determining whether an organization's data security practices are deemed to be “unfair” (under Section 5 of the Federal Trade Commission Act, PDF). LabMD won a small victory in May 2014 when an administrative law judge backed LabMD's argument that the FTC should testify as to the data security standards to which it intends to hold LabMD.

With accusations flying that the information on the breach provided by Tiversa was suspect, by June, a congressional committee had called the information into question in a letter to the FTC penned by Darrell Issa, the chairman the House Committee on Oversight and Government Reform. Issa's letter (PDF) noted the committee was concerned that Tiversa's “inaccurate” findings may have “played a role in the FTC's decision to initiate enforcement actions against LabMD.”

In its letter, the House committee also said it had “substantial concerns” about the relationship between the FTC and Pittsburgh-based Tiversa, a peer-to-peer intelligence provider. Issa even went as far as to say that Tiversa may have manipulated information pertaining to the LabMD breach.

As it turns out, that accusation has just taken on much more heft, after Richard Wallace, a former investigator for Tiversa testified in federal court Tuesday that the security company deliberately (and routinely) manufactured and falsified security problems in an effort to pull in customers and would, in fact, bully and extort them, threatening to report "breaches" to regulators if the companies didn't capitulate and buy Tiversa services.

"Hire us or face the music," Wallace said, according to a transcript obtained by CNNMoney. Faced with “evidence” of a breach, LabMD refused to capitulate and Tiversa reported it to the commission.

Tiversa CEO Bob Boback dismissed the accusations to CNNMoney as "an overblown case of a terminated employee seeking revenge." Tiversa, which counts former General Wesley J. Clark on its board, has received, Boback says, "multiple awards from law enforcement for our continued efforts to help support them in cyber activities."

While Wallace's testimony casts aspersions on the FTC's complaint against LabMD, the agency's administration action is still underway and it is unclear how these revelations, if proven to be true, will affect that process.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.