Report: DOJ investigates claims that security firm faked data breaches to FTC

Report: DOJ investigates claims that security firm faked data breaches to FTC
© Getty Images

The Justice Department is investigating whether cybersecurity firm Tiversa gave the government false information about data breaches at companies that did not purchase its data protection services, Reuters reports.

The criminal investigation was launched after a former employee, Richard Wallace, claimed that the firm gave the Federal Trade Commission (FTC) doctored evidence to demonstrate corporate data breaches, according to three people familiar with the probe.

Information Tiversa provided to the FTC prompted the agency to open investigations into nine companies to establish whether they were adequately protecting consumers’ personal information. The identities of the companies and the status of those investigations are not clear.

The FTC also sent letters to more than 80 companies alerting them that customer information had been made public on file-sharing networks monitored by Tiversa for personal data.

Wallace testified in an FTC hearing that Tiversa tampered with evidence to make it appear it had uncovered sensitive information being inappropriately shared across the country.

The investigation has placed scrutiny on the increasingly active role the agency has been taking in policing lax cybersecurity. It has brought more than 50 suits against companies, most of which rely on the assumption that poor cybersecurity can be considered an unfair or deceptive trade practice, part of the 1914 Federal Trade Commission Act.

Such settlements usually require plaintiffs to take costly measures to upgrade their data security practices.

Critics of the FTC’s claim to cybersecurity authority say the agency has failed to lay out clear regulations for companies to follow. They say it relies instead on a vague requirement that companies provide “reasonable” protection to their customers.

The business community has also condemned the agency for inappropriately punishing companies.

One of the companies implicated by Tiversa has fought back against claims that it mishandled customer information.

Last year, the FTC alleged that poor security practices at the medical testing company LabMD had allowed a patient insurance file to be publicly released through the LimeWire file-sharing network.

The FTC said that information provided by Tiversa caused it to open the investigation.

During hearings on the matter last May, Wallace testified that Tiversa reached out to LabMD and offered its remediation services, which LabMD declined.

When a company declined such an offer, Wallace said, its name was placed on the list that CEO Robert Boback would provide to the FTC.

When LabMD refused, Boback “basically said, ‘F him, make sure he’s at the top of the list,’ ” Wallace testified.

Wallace also said that he was instructed to falsify evidence to make it appear as if the patient file was being rapidly shared with identity thieves online. According to his testimony, Boback told him, “'We need this at four different IP addresses, and they need to be bad guys.'”

Boback has been on leave since an FBI raid in March, while the company conducts an internal investigation, a person briefed on the case told Reuters.

FTC Chief Administrative Law Judge D. Michael Chappell dismissed the case against LabMD last November, citing Wallace’s testimony. LabMD CEO Michael Daugherty says that the costs associated with the case have driven him out of business.

The agency has appealed the decision.

A Tiversa spokeswoman said in November that the company "acted appropriately and legally in every way with respect to LabMD.”

“What concerns me is the collaboration between the FTC and bad actors,” Daugherty said. “This case is not just about LabMD, it’s about every company contacted by the FTC.”