Rogue cybersecurity firm killed cancer testing lab, claims ex-employee

A former employee of well-connected security firm Tiversa has claimed in court that the company falsified information about the severity of a data breach at a cancer laboratory that was later forced to close after a government data security investigation.

Georgia cancer testing laboratory LabMD – or rather, what's left of it now that all of its staff have been let go – is locked in a legal battle with the US Federal Trade Commission over claims that it violated data safety rules by allowing patients' information to leak online.

LabMD, on the other hand, claims Tiversa set it up, and on Tuesday it called a former employee of the security firm as a witness to make its case.

Richard Wallace testified that he used peer-to-peer software to download a file containing patient data from LabMD's servers while working as an investigator at Tiversa in 2008. He further claimed that his then-boss, Tiversa CEO Robert Boback, asked him to make it look as though the file had been found on other computers run by known identity thieves.

Wallace claims Boback then told LabMD that the patient records had been found on a peer-to-peer network and offered Tiversa's services to deal with the problem – either for a one-off fee or via an annual service contract.

When LabMD refused the offer, Boback then threatened to report the lab to the FTC for not securing its records properly, LabMD's founder Michael Daugherty has claimed. And when LabMD again refused to pay, Boback allegedly followed through on his threat, prompting investigations that ultimately bankrupted the medical facility.

Wallace said he resigned his position at Tiversa in February 2014 because he was being pressured to lie under oath in legal proceedings over the LabMD case. He has since been granted legal immunity by the Congressional House Committee on Oversight and Government Reform in exchange for testimony on Tiversa's activities.

Wallace claimed that falsifying data was common practice at Tiversa. The firm would log the IP addresses of known computer criminals who had been arrested, he said, then tell companies that their files had been downloaded from computers linked to those addresses and offer to fix the problem for a fee.

Tiversa also manufactured security events for publicity, Wallace claimed, including the widely reported case of the theft of blueprints for Marine One, the US President's personal helicopter, which the firm claimed to have found online on an Iranian computer. The files had actually come from a US contractor's computer and police had already dealt with the matter, Wallace said.

"It was a very publicized story. Tiversa, you know – it was very good press for Tiversa. And believe it or not, it was not easy to find an active Iranian IP address that law enforcement couldn't get ahold of," he testified, according to a transcript.

If Wallace's allegations are true, it would be rather embarrassing for former NATO supreme commander General Wesley Clark, who serves on Tiversa's advisory board. At the time of the Marine One incident, Clark said the firm's investigators "know exactly what computer [the blueprints] came from" and that they had alerted government regulators.

Clark isn't the only big name at Tiversa. Howard Schmidt, Obama's former cyber-security coordinator, also sits on the firm's advisory board, as does Larry Ponemon, founder of the eponymous institute.

Tiversa's CEO firmly denies Wallace's claims. While Wallace says he resigned on principle, Boback told The Register he was fired with cause. And as for the Marine One incident, Boback said Tiversa's report that some parts of the helicopters had appeared on an Iranian computer has been confirmed by the US Navy. Tiversa has been investigated thoroughly by the House Oversight and Government Reform Committee, he said, and "no evidence of wrong doing was ever found."

"Ironically, LabMD’s witness [Wallace] actually destroyed any defense that LabMD was attempting to mount in this case," Boback told The Reg. "Wallace testified that he, personally, downloaded the LabMD file by using a desktop computer and LimeWire, not by using Tiversa’a technology. Wallace just contradicted [LabMD's] entire argument by testifying that he only used a simple program that hundreds of millions of people have used." ®