The Illinois-based nonprofit HIV/AIDS clinic Open Door Clinic has been around since 1977, but the last few years have been pretty rough. In 2008, the clinic received a call from a cybersecurity firm called Tiversa informing Open Door that some of its files had been leaked online.
The small local clinic, which offers local Illinois residents access to STI services, performed an internal investigation about the data breach and could not pinpoint a culprit. While the documents were discovered on peer-to-peer (P2P) networks, none of the computers at Open Door had access to such networks. After much discussion, the small clinic declined the cybersecurity firm’s services due to its hefty price and the suspicious way it had obtained the files.
One year later, Open Door Clinic found itself the butt of a class action lawsuit, on behalf of Open Door’s patients whose data was breached. The same cybersecurity firm that initially approached Open Door, Tiversa, seemed to be the one leading the brigade. In the end, Open Door ended up settling the case for a “substantial amount of money.”
Five years after the settlement, the US House of Representatives Committee on Oversight and Government Reform conducted an independent investigation of its own and managed to obtain phone records that showed Tiversa had repeatedly called more than 50 patients of the Open Door Clinic.
This is just one of many examples from a newly released House Oversight Committee Report that Business Insider has obtained that lambasts Tiversa for its potentially illegal practices.
The new report plainly claims that Tiversa “often acted unethically and sometimes unlawfully in its use of documents unintentionally exposed on peer-to-peer networks.”
“Data breach protection”
Tiversa, a Pennsylvania-based firm, clearly prides itself on its breached data discovery. Tiversa’s website claims its solution “detects and mitigates sensitive data exposed on Peer-to-Peer networks before data can virally replicate.” In layman’s terms this means that Tiversa trawls the open web for leaked data, and if it finds a potential breach it claims it will help companies repair the damage.
Now numerous entities have questioned the way Tiversa contacts potential clients. At a recent FTC hearing regarding a data breach at a medical company called LabMD (of which Tiversa provided the critical breach data to the federal agency), a former Tiversa employee, Richard Wallace testified about the company’s practices.
According to Wallace’s testimony, Tiversa would “typically make up fake data breaches to scare potential clients.” The whisleblower’s testimony went on to say that the firm would systematically “pressure firms to pay up.”
More government documents than Snowden
The House Oversight Committee has since corroborated these allegations, adding that some of the data Tiversa provided to the feds was “only nominally verified but was nonetheless relied on by the FTC for enforcement actions.” The Committee’s allegations go even further, claiming that Tiversa had a potentially unethical relationship with the FTC, frequently giving the agency breached information of a company that had previously refused Tiversa’s services.
Tiversa also reportedly took aim at a governmental leak. The document claims that the firm learned of a data breach by the House Ethics Committee, yet it did not come forward with information about the leak until after a Washington Post news report was published. According to emails uncovered by the investigation and quoted in the report, Tiversa was aware of the leak and its significance “more than a week fore the story was published.”
The House Oversight’s Committee’s findings don’t go so far to say that Tiversa was the original unnamed source for the Post story, but it reveals that Tiversa’s CEO Robert Boback was used as a source for follow-up reporting.
Tiversa has also been quoted boasting the sorts of private data it collects. Sam Hopkins, one of the men behind Tiversa’s cyber-snooping technology, was quoted as saying “Yeah, I mean everyone knows of Snowden. Tiversa has way more than he does and Tiversa has new information on everybody.”
The 99-page report also calls into question the business practices of the company. “Not only did Tiversa primarily report companies to the FTC that had refused its services but it also manipulated its relationship with the FTC — including its knowledge of upcoming investigations — in an attempt to profit from these same companies the second time around,” the report says.
The cybersecurity industry recoils
So what does the House Oversight Committee’s report on Tiversa mean for the cybersecurity industry? This could have a big impact on both how the government deals with companies reporting breaches and how individual firms shape their security offerings. In the wake of the report, most cybersecurity companies are actively distancing themselves from Tiversa’s practices.
Dave Aitel, CEO of the cybersecurity company Immunity Inc, told Business Insider that business models like Tiversa’s are “really rare,” and generally looked down upon by others in the industry. “You wouldn’t approach a small business,” he said.
Aitel and others are hopeful that this will not only stop this sort of cyber-data brokering, but that it will also act as a wake-up call to agencies like the FTC that are actively going after any and all data breaches. Perhaps this case will start making agencies think twice before accepting data from similar companies, Aitel added.
The House Oversight Committee’s report seemed to come to the same conclusion, stating that “Federal departments and agencies should be aware of these business practices when determining whether to do business with Tiversa.”