24 Mar Cybersecurity Firm With A History Of ‘Corporate Blackmail’ Raided By The FBI
Sharing the latest from TechDirt
from the fate-of-CEO-Robert-‘Whitey’-Boback-currently-unknown dept
Cybersecurity is a crowded field. Not every competitor will make it. That’s inevitable. Tiversa is one of the also-rans.
Tiversa is helmed by Robert Boback. Back in 2009, Boback was already well-versed in the cybersecurity hard sell. Here’s what he had to say about P2P software in front of a Congressional audience — an audience well-versed in the art of selling fear to fund additional government products.
Boback showed off a document, apparently from a senior executive of a Fortune 500 company, listing every acquisition the company planned to make — along with how much it was willing to pay. Also included in the document were still-private details about the company’s financial performance. Boback also showed numerous documents listing Social Security numbers and other personal details on 24,000 patients at a health care system, as well as FBI files, including surveillance photos of an alleged Mafia hit man that were leaked while he was on trial.
Boback was stealthily pitching his company’s P2P monitoring service. During this hearing, he also claimed to have come across documents containing details about the President’s helicopter on an Iranian computer.
Boback may have overplayed his hand. There were no discussions about purchases of his software. But there were discussions about legislation banning the use of P2P software on government computers.
Boback’s next interaction with Congress wasn’t nearly as pleasant. The House Oversight Committee — led by Darrell Issa — was asking the FTC to take a good look at Tiversa and its habit of engaging in “corporate blackmail.”
A year before Boback’s mob-and-helicopter show in front of Congress, Tiversa was trying to get LabMD to buy its services. It claimed to have found a document containing thousands of LabMD’s customers’ information while monitoring P2P traffic. When LabMD refused to sign a contract with Tiversa, it took the info to the FTC. The FTC went after LabMD. But the data breach details Tiversa handed to the FTC were bogus.
“The possibility that inaccurate information played a role in the FTC’s decision to initiate enforcement actions against LabMD is a serious matter,” said Chairman Issa in today’s letter. “The FTC’s enforcement actions have resulted in serious financial difficulties for the company. Additionally, the alleged collaboration between the FTC and Tiversa, a company which has now admitted that the information it provided to federal government entities—including the FTC—may be inaccurate, creates the appearance that the FTC aided a company whose business practices allegedly involve disseminating false data about the nature of data security breaches.”
The letter continues: “Further, the Committee has received information from current and former Tiversa employees indicating a lack of truthfulness in testimony Tiversa provided to federal government entities. The Committee’s investigation is ongoing, and competing claims exist about the culpability of those responsible for the dissemination of false information. It is now clear, however, that Tiversa provided incomplete and inaccurate information to the FTC.”
Among this new information was the testimony of Richard Wallace, a former employee of Tiversa. As Wallace explained, the general business model of Tiversa was to fake a data breach, approach potential customer with a sales pitch and a threat to turn them over to the FTC if they refused to purchase Tiversa’s protection. LabMD told Tiversa to beat it, which Boback didn’t appreciate. From Wallace’s testimony:
Q. Did Mr. Boback have a reaction to LabMD’s decision not to do business with Tiversa?
Q. And what was that reaction?
A. Do I say it?
MS. BUCHANAN: Answer the question.
THE WITNESS: He basically said f— him, make sure he’s at the top of the list.
According to the Congressional investigation, not only did Tiversa engage in corporate blackmail, but it faked metadata so it could claim sensitive documents had spread much further than they actually had. It also approached “affected” users directly, hoping to provoke reluctant companies into buying its services.
One of the customers it sought was the US government. But Tiversa lied to it as well. The supposed sensitive document it traced back to an Iranian computer? Sure, the document existed. But Tiversa could provide no proof that it had ever resided on that computer.
Fast-forward to earlier this month: Tiversa has been raided by the FBI.
Federal agents are investigating whether cyber-security firm Tiversa gave the government falsified information about data breaches at companies that declined to purchase its data protection services, according to three people with direct knowledge of the inquiry.
The Federal Bureau of Investigation raided Tiversa’s Pittsburgh headquarters in early March and seized documents, the people said.
The Justice Department’s criminal investigation of Tiversa began after Richard Wallace, a former Tiversa employee, alleged in a 2015 Federal Trade Commission hearing that the cybersecurity firm gave the agency doctored evidence purporting to prove corporate data breaches, the people said.
An unnamed inside source sheds a little more light on the company and the FBI’s visit.
When asked whether any others were involved in the kind of fraud Boback is allegedly being investigated for, the source stated that “it was always between Bob (Boback) and Rick (Wallace). Not too many people realized what was going on. Now people are looking into the data.” And the more they look into things, the source claims, the more they uncover in the way of lies and Boback asking or directing employees to falsify findings. The source later told DataBreaches.net that he was aware of one other instance where allegedly Boback asked someone to have multiple files spread to multiple IP addresses. It is not clear to DataBreaches.net whether that employee – whose identity is unknown to DataBreaches.net – ever cooperated with that request.
Was the claim to Congress and the media about plans for Marine 1 being found on an Iranian IP a lie, DataBreaches.net asked? “Yes,” was the simple answer.
“You have to understand that Tiversa had a great technology that is the real deal but RB fucked it up. Greed. Above the law, untouchable,” the source tells DataBreaches.net.
The DOJ’s move isn’t surprising, considering the allegations in the House Oversight Committee’s report. The problem now is what to do about the FTC, which relied on tips from Tiversa to go after nearly 100 companies for supposed data breaches.
One would hope that if more concerns about Tiversa become public, then to the extent the FTC relied up on Tiversa at all for any investigation, they will do some internal contemplation about their methods and the need to independently investigate and verify third-party representations. Would FTC v. LabMD ever have happened if not for Tiversa? I seriously doubt it.
Whatever happens now, it’s likely too late to be much comfort to LabMD. Between the FTC’s action and Boback’s defamation lawsuit, the company has been run into the ground. The good news is the defamation suit has been dropped and Tiversa’s legal representation is quickly running as far away from the toxic company as humanly possible.