Whistleblower claims cybersecurity firm hacks clients to extort them

A former employee of P2P cybersecurity firm Tiversa who has turned whistleblower testified that the firm hacks clients in order to fake data breaches and then extorts clients to pay for its 'incident response' services.

Fraud definition
Credit: Thinkstock

The P2P cybersecurity firm Tiversa is making headlines again, but this time it's because a former whistleblowing employee claims Tiversa "faked hacks and extorted clients to buy its services."

Who is Tiversa?

The company overview states, "Tiversa provides P2P Intelligence services to corporations, government agencies and individuals based on patented technologies that can monitor over 550 million users issuing 1.8 billion searches a day. Requiring no software or hardware, Tiversa can locate exposed files, provide copies, determine file sources and assist in remediation and risk mitigation."

Tiversa made headlines in 2007 when it claimed that classified military documents, including some from the Pentagon, were being leaked via P2P software installed on systems that held the data. In 2009, Tiversa said an Iranian IP address was sharing classified info that contained "the communications, navigation and management electronics on Marine One, the helicopter used by President Barack Obama." Then in 2011, Tiversa claimed, "WikiLeaks may be exploiting a feature in peer-to-peer file-sharing applications to search for classified data." The company "is hired by governments and corporations to use the same loophole to find exposed documents and figure out who might be accessing them."

In 2013, Tiversa tried to stop the publication of the tell-all book, The Devil Inside the Beltway, written by LabMD's CEO Michael J. Daugherty. The FTC had filed a data breach complaint against LabMD, a medical cancer testing laboratory, after Tiversa said it found a LabMD spreadsheet containing personal info on more than 9,000 consumers on a P2P network. Tiversa told LabMD about the breach and pressured the lab to pay it for "incident response" services, but when the lab refused to pay, Tiversa handed the info over to the FTC. The trailer for the book included phrases like "government funded data mining and surveillance, psychological warfare, and abusive government shakedown." The book allegedly "details an extraordinary government surveillance story that compromised national security and invaded the privacy of tens of millions of online users worldwide."

The CEO of Tiversa objected that the book "defamed" the company and claimed, "Daugherty's marketing to promote his book includes the statement: [w]hat began with the unauthorized but government-funded procurement of medical data for 9000+ patients from his medical laboratory turned into a government supported, financially draining, extortion attempt."

A year ago, a U.S. House of Representatives committee launched an investigation into the FTC's use of information from Tiversa which ultimately caused LabMD to run of money to fight the lawsuit and to let go of its 40 employees.

Whistleblower: Tiversa hacked to extort target companies, staged data breaches

But now, Richard Wallace, a Tiversa whistleblower, testified to hacking for Tiversa to obtain dirt that could be used in "fake data breaches" so Tiversa could basically extort the target companies to pay it for incident response services.

CNN Money reported:

According to Wallace, Tiversa did this by using phony IP addresses -- on the orders of Tiversa's CEO, Bob Boback. The company, which works closely with law enforcement, would look up the Internet addresses that were used by known criminals or identity thieves, then claim that those IP addresses were sharing stolen files online. Wallace said it was a scare tactic that added "spread" to the supposed damage -- and "wow factor."

Wallace admitted to hacking LabMD and taking the spreadsheet that contained personal info on almost 10,000 consumers. LabMD's Daugherty told CNN that it was a small company that did not have "tons of employees" or "millions of dollars to fight" the FTC; a fight based on Tiversa allegedly hacking it to snag "data breach" info.

"The fight with the government was psychological warfare," he told CNNMoney. "There was reputation assassination. There was intimidation. We thought we were extorted. My staff and management team was demoralized. My VP left. My lawyer left."

Oh, and the national news story about Tiversa pointing at Iran for stealing Marine One blueprints? That was completely bogus too, according to Wallace. In fact, he said "the company routinely engaged in fraud -- and mafia-style shakedowns." The company supposedly pulled off many scams, hacking to obtain data meant to scare potential clients into paying Tiversa for its professional cybersecurity services.

The FTC declined commenting, but Tiversa CEO Boback said the claims were "baseless." He added, "This is an overblown case of a terminated employee seeking revenge. Tiversa has received multiple awards from law enforcement for our continued efforts to help support them in cyber activities."

CNN pointed out that "Tiversa board members include several highly decorated experts in the security and privacy fields, including the retired four-star U.S. Army General Wesley K. Clark (formerly NATO's Supreme Allied Commander in Europe) and Larry Ponemon (founder of the Ponemon Institute, a pro-privacy think tank)."

If Wallace's testimony is true, then Tiversa's actions were unbelievably reprehensible.

Cybersecurity market research: Top 15 statistics for 2017