Did this cybersecurity firm use a data breach for extortion?

A whistleblower claims his company fabricated evidence in retaliation for a lost contract

7

In 2007, LabMD was a small but successful medical testing company based in Atlanta, processing lab samples for cancer patients — at its peak, the company employed about 40 people. Today, those employees are gone and LabMD survives largely as a shell company for CEO Michael Daugherty’s ongoing legal battle with the FTC.

“These people do damage. They scorch the earth,” Daugherty says. His battle with the commission is now eight years old, and has splintered off into a defamation suit, a defamation countersuit, and a self published book about his struggles, titled, The Devil Inside the Beltway. He has long since given up on medical testing as a business. “They’ve already killed us,” Daugherty says. “And they’re fine with that.”

"These people do damage. They scorch the earth."

Daugherty’s FTC troubles started over a data breach he says never occurred. In the summer of 2008, a single file containing social security numbers and treatment codes for nearly 9,000 patients was discovered on a peer-to-peer sharing network. The security company Tiversa downloaded the file, confirming a security flaw and giving the FTC grounds for an ongoing case against LabMD.

But now Tiversa itself has come under fire: a staff report published today by Rep. Darrell Issa (R-CA) describes "a troubling pattern" of falsified information from Tiversa, in the service of an "unethical business model." For years, Daugherty has alleged that the security firm referred LabMD to the FTC as retaliation after he refused to buy their services, and new testimony from a former Tiversa employee suggests he may be right.

Tiversa still disputes the testimony, but the case raises questions of procedure and even extortion for an otherwise reputable security company. For digital security firms, there is a fine line between identifying weaknesses, and exploiting them to prove the value of a company’s services. What happens if a security company crosses the line?

* *

Tiversa first noticed LabMD in July of 2008, doing a routine scan of companies on peer-to-peer networks. At the time, peer-to-peer services like Limewire and Kazaa were still massively popular, and they opened up a new way for data to leak. If a company had a peer-to-peer program on one of its computers (typically because an employee was trying to download music at work), it could expose sensitive files to anyone on the network who cared to look. That led to a real security problem and a market niche for firms like Tiversa, which specializes in finding that data and tracing it back to its source.

In LabMD’s case, an employee had installed an unauthorized copy of Limewire Workstation, opening up a company hard drive to anyone snooping through the service. Tiversa seized a 1,718-page file that contained data on more than 9,000 patients, a massive violation of patient confidentiality. If the file ever got out, it would be a hugely damaging breach and expose LabMD to catastrophic lawsuits.

What happened next is controversial. Tiversa CEO Robert Boback says he reported the breach as routine and told LabMD what he knew. When they asked for more details, he said he only had the data the scan had turned up, but could investigate more if LabMD wanted to hire Tiversa full time. Boback left them with his company’s rates and figured he had done his duty.

Daugherty saw the same conversation as veiled extortion. He believes Tiversa inflated the threat to sell LabMD on the firm’s services, and began retaliating when the medical testing company didn’t bite. Unsure of which employee was using the service, LabMD had trouble getting the file off the network, and Tiversa wasn’t shy about reminding them how serious the issue was. "We have continued to see individuals searching for and downloading copies of the file that was provided," Boback wrote to Daugherty in one email, shortly after the initial breach. "If you need a breakdown of the various state laws regarding breach notification, I can provide one for you."

Behind the scenes, things may have been even more aggressive. A Tiversa employee named Richard Wallace recently testified that, after talks between the companies broke down, LabMD was added to a list of outstanding breaches to be reported to the FTC. According to Wallace, the purpose of the list was, "to let them know that an enforcement action is coming down the line and they need to hire us or face the music, so to speak." The FTC was already investigating peer-to-peer sharing problems, and having LabMD on the list exposed the company to an immensely damaging FTC complaint that ultimately destroyed it. To Daugherty, it was simple retaliation — because he didn’t pay for Tiversa’s services, he ended up under the hammer of the FTC.

Boback says Wallace’s claims are "absolutely ridiculous," characterizing him as a disgruntled employee out for revenge who likely perjured himself as part of the testimony. He says his conversations with Daugherty were about fixing the breach, not hiring Tiversa, and that once the FTC’s breach investigation began, he was required by law to report anything he knew. "There was no sales pitch," Boback says. "It was never a sales pitch."

But now there are new questions as to whether Tiversa’s data was accurate. Boback says the Tiversa databases showed seven computers in possession of the file, any of which could have shared the file with countless others. But Wallace says the other IP addresses were fabricated to make it seem like the LabMD data had traveled farther than it really had. What’s more, Wallace says it wasn’t the only time Tiversa tried out the trick.

Tiversa’s biggest claim to notoriety had to do with an even more serious target: the president’s helicopter. In the fall of 2008, the company discovered schematics for the president’s Marine One chopper being shared alongside the usual flood of pirated music. A defense contractor in Maryland had accidentally shared an early proposal for the helicopter’s avionics system, not realizing the file-sharing program would index his entire hard drive. A few months later, Tiversa went public with the news, announcing that they had discovered the plans being shared from an IP address in Iran. It was a black eye for the contractor, and public proof of how useful a platform like Tiversa’s could be for companies guarding sensitive data.

But according to Wallace, the story wasn’t true. "That file had already been dealt with by law enforcement, had already been remediated and taken offline," Wallace told the FTC last week. "Mr. Boback found out about it some time later and said we need to make hay out of this, so the media was contacted and the story then was that the file had been found at an Iranian IP address." Since the IP address was the only firm evidence a peer-to-peer scan would produce, Wallace says they just needed to make up an address in the Iranian block that wouldn’t be too easy to trace. That one tweak could make it look like the company was still bleeding data, even after the breach was fixed.

The company ran the same playbook on LabMD, according to Wallace. He says that in 2013, long after the FTC complaint was filed, he was asked to log a new set of IP addresses where the file had been detected, increasing the imaginary range of the breach. It’s unclear how that data was meant to be used, although the company was engaged in an ongoing defamation suit with Daugherty at the time. Still, according to Wallace, the data had only ever actually been in two places: LabMD’s computers and Tiversa’s. "The originating source in Atlanta is the only source that it’s ever been seen at," Wallace testified.

A new report, commissioned by House Oversight Committee chairman Darrell Issa, goes even further. The report accuses Tiversa of a "scheme to defraud the congress and executive agencies" by providing false information in a number of cases, including a Chicago AIDS clinic that shut down under circumstances similar to LabMD. The report also alleges that Tiversa also failed to comply with a number of subpoenas and created "a culture of intimidation," adding credence to Wallace's testimony. "Throughout this investigation, the Committee routinely found that the information provided by Tiversa either could not be verified, or simply did not make sense," the report states. "The whistleblower's testimony that Tiversa routinely falsified documents, however, filled in those gaps."

* *

Wallace’s testimony raises a serious question: did LabMD suffer a data breach at all? There was certainly a massive security flaw, but if the data never traveled beyond Tiversa’s hard drives, it’s easy to see the breach itself as a fabrication, more of a possibility than a tangible harm. Throughout his years of legal trench warfare, Daugherty has been saying that over and over, but the truth may be thornier: because of the nest of interlocking laws and enforcers at play in modern digital security, there may be no clear answer to whether LabMD was actually leaking data.

As Boback pointed out in the early emails, a company’s first concern is state data breach laws, which mandate early disclosure and often trigger lawsuits. Laws vary from state to state, but a breach is generally defined as, "the unlawful and unauthorized acquisition of personal information that compromises the security, confidentiality, or integrity of personal information." Was Tiversa’s first download unlawful and unauthorized? Maybe lawful, but certainly unauthorized. Either way, LabMD’s security and its patients’ confidentiality were compromised. But if Wallace’s testimony is accurate, LabMD’s data leak may not even qualify as a breach under many state laws.

Still, Daugherty’s biggest antagonist has been the FTC, and for them the breach itself is largely irrelevant. Like any safety inspector, the commission wants to make fixes where it sees the most harm being done. Once the FTC was on the case, the case boiled down to whether or not LabMD was doing right by its customers, which is a much harder case to win. According to UC Berkeley professor Chris Hoofnagle, who’s writing a book on the history of FTC, that leaves targets like Daugherty facing an uphill battle. "The issue for LabMD is whether their insecurity resulted in deception or unfairness," says Hoofnagle. "Even if the breach had not occurred, it could still be unfair for a medical service provider to have P2P software on the same computers it uses for medical records."

For companies dealing with sensitive data — particularly medical companies like LabMD — catching a breach early is often the difference between life or death. That gives proactive security companies immense power. In part, that’s by design. Before data-breach notification laws, which kicked off with California in 2003, such leaks were almost never made public, and widespread secrecy gave companies little reason to invest in preventing them. In 2011, a Stanford Law Review study credited the FTC’s "unpredictable" enforcement strategy with spurring more serious privacy measures within companies, eager to prevent the so-called "Three Mile Island scenario" of an FTC action. The more data breaches hurt, the more creative companies have gotten in preventing them.

If a single report means the difference between an FTC investigation and business as usual, nearly anything can read as a threat

That dynamic has had a profound effect on the security market — flooding money toward both in-house privacy efforts and third parties like Tiversa — but it’s also put outside security firms in a strange place when it comes to reporting breaches and vulnerabilities. Researchers are routinely accused of extortion or illegal hacking after reporting holes in popular software — most notably Dmitry Skylarov, who was arrested in 2001 after presenting research on holes in ebook security. Breaches only raise the stakes, presenting companies with painful and immediate consequences as soon as a report is made. If a single report means the difference between an FTC investigation and business as usual, nearly anything can read as a threat.

In the meantime, Daugherty has been left waging a losing fight against the FTC’s various investigative orders as the headlines fill with high-profile data breaches with massive scope and verified victims. "I don’t see them going after Target," Daugherty says. "I don’t see them going after JP Morgan." LabMD had a real and serious security issue, but it’s easy to understand his frustration. While larger companies struggle with disclosure laws, Daugherty has spent several years fighting the FTC over what could be one of the smallest breaches ever reported. "We don’t have one victim," Daugherty says. "It was never out there, never."

Correction: An earlier version of this piece referred to Rep. Darrell Issa's report as a congressional report. It is a staff report commissioned by a member of Congress. The Verge regrets the error.

The best of Verge Video