In a federal court this week, Richard Wallace, a former investigator at cybersecurity company Tiversa, said the company routinely engaged in fraud — and mafia-style shakedowns. To scare potential clients, Tiversa would typically make up fake data breaches, Wallace said. Then it pressured firms to pay up. “Hire us or face the music,” Wallace said on Tuesday at a federal courtroom in Washington, D.C.. CNNMoney obtained a transcript of the hearing. The results were disastrous for at least one company that stood up to Tiversa and refused to pay. In 2010, Tiversa scammed LabMD, a cancer testing center in Atlanta, Wallace testified. Wallace said he tapped into LabMD’s computers and pulled the medical records. The cybersecurity firm then alerted LabMD it had been hacked. Tiversa offered it emergency “incident response” cybersecurity services. After the lab refused the offer, Tiversa threatened to tip off federal regulators about the “data breach.” When LabMD still refused, Tiversa let the Federal Trade Commission know about the “hack.”
The FTC went after the lab, giving the company a choice: sign a consent decree (basically a plea deal which means years of audits and a nasty public statement) or fight in court. The CEO of LabMD, Michael Daugherty, chose to fight, because a plea deal would have tarnished his reputation and killed the business anyway, he said. Daugherty lost that battle in 2014, having run out of steam. The lawsuit killed LabMD, which was forced to fire its 40 employees last year. “We were a small company,” he said. “It’s not like we had millions of dollars to fight this and tons of employees. The fight with the government was psychological warfare,” he told CNNMoney. “There was reputation assassination. There was intimidation. We thought we were extorted. My staff and management team was demoralized. My VP left. My lawyer left.”
Daugherty launched a website and wrote a book about the ordeal. Cause of Action, a government watchdog group, picked up his case. Wallace’s testimony casts doubt on the FTC’s case against LabMD. If Wallace is telling the truth, the FTC aggressively prosecuted a company based on bogus evidence. The FTC declined to comment, citing an ongoing lawsuit against LabMD, which still hasn’t reached its conclusion.
LabMD wasn’t the first time Tiversa’s false hacks made national news, Wallace said. He claimed that Tiversa also made up information in 2009 pointing to Iran for supposedly stealing blueprints for President Obama’s helicopter, Marine One. That scare that led to several news stories published by NBC, Fox, CNET and others. According to Wallace, Tiversa did this by using phony IP addresses — on the orders of Tiversa’s CEO, Bob Boback. The company, which works closely with law enforcement, would look up the Internet addresses that were used by known criminals or identity thieves, then claim that those IP addresses were sharing stolen files online. Wallace said it was a scare tactic that added “spread” to the supposed damage — and “wow factor.” “So, to boil this down, you would make the data breach appear to be much worse than it actually had been?” FTC Administrative Judge Michael Chappell asked. “That’s correct,” Wallace responded.
Tiversa denies Wallace’s allegations. On Thursday, Tiversa’s CEO told CNNMoney that the recent revelations were “baseless” and came from an ex-employee still angry for being fired. “This is an overblown case of a terminated employee seeking revenge,” Boback said. “Tiversa has received multiple awards from law enforcement for our continued efforts to help support them in cyber activities.” Tiversa is a small cybersecurity consultancy based in Pittsburgh. Its board members include several highly-decorated experts in the security and privacy fields, including the retired four-star U.S. Army General Wesley K. Clark (formerly NATO’s Supreme Allied Commander in Europe) and Larry Ponemon (founder of the Ponemon Institute, a pro-privacy think tank). U.S. Rep. Darrell Issa, chairman of the House Oversight Committee, demanded last year that the FTC look into allegations of “corporate blackmail” by Tiversa. In a letter to the FTC in December, Issa noted that Tiversa assisted the FTC on data leak investigations of “nearly 100 companies.” This link potentially taints evidence in those cases too.