
Whistleblower accuses cybersecurity company of extorting clients - Osiris
http://money.cnn.com/2015/05/07/technology/tiversa-labmd-ftc/index.html
======
lazaroclapp
Why is "data breach" in scare quotes? There was indeed a data breach, so the
case against LabMD seems real enough. If it happened because they weren't
following reasonable practices, the FTC response might be entirely justified.

Now, the problem being that the data breach was done by Tiversa. It seems to
me that in a case where you know who the attacker was and that they stole this
data for profit (additionally, profit by extortion), the penalties for the
attacker should be much more severe than for the breached company. Regardless
of whether the company was negligent or not. Also, if they reported this to
the FTC as a "unknown attacker" type of breach that they just happened to
"detect", isn't that attempting to defraud the federal government as well?

~~~
polack
Could have been that Tiversa was given access to the infrastructure, so even
if it was a breach it was more of the "Snowden"-type than of some random
hacker from the outside. Still a breach, but one much harder to do anything
about.

------
at-fates-hands
This is such a confusing and poorly written article, I don't even know where
to start.

 _" The cybersecurity firm then alerted LabMD it had been hacked. Tiversa
offered it emergency "incident response" cybersecurity services. After the lab
refused the offer, Tiversa threatened to tip off federal regulators about the
"data breach."_

 _When LabMD still refused, Tiversa let the Federal Trade Commission know
about the "hack.""_

Not an expert, but this is the first time I've heard people trying to out
companies with bad ops sec to the FTC?? Can someone explain how or why this is
legal?

Then it gets really weird:

 _" The FTC went after the lab, giving the company a choice: sign a consent
decree (basically a plea deal which means years of audits and a nasty public
statement) or fight in court. The CEO of LabMD, Michael Daugherty, chose to
fight, because a plea deal would have tarnished his reputation and killed the
business anyway, he said."_

So basically the government can force a business to close down if they don't
comply with years of oversight and negative public comments? Somehow this
seems really sketchy.

The article basically concludes Tiversa has done this multiple times to other
companies as well. I guess this means in order to make a bunch of money I can
start a private security company, hire some hackers and then extort money from
businesses if they don't hire me and then turn them over to the FTC, who in
turn, makes them go out of business?

If this is the case, this is pretty fucking scary.

~~~
jobu
The article makes it sound like Tiversa hacked LabMD deliberately in order to
blackmail them. While that is possible, the article doesn't mention how, and
it doesn't mention that the files were supposedly found on LimeWire. Terrible
journalism.

------
yenda
Seems like this is a poor piece of journalism. Other sources indicate that the
data breach was one of the employee using Limewire to listen to music,
accidently sharing thousands of clients informations on the network by that
mean.

[http://www.govhealthit.com/news/can-ftc-regulate-digital-
hea...](http://www.govhealthit.com/news/can-ftc-regulate-digital-health-
privacy)

------
nikomen
It looks like the FTC didn't do it due diligence to ensure that the evidence
presented against LabMD was legitimate? Of course, none of us would really be
surprised if this is the case.

Unfortunately, even if Tiversa is found to be at fault, LabMD is still
probably beyond recovery now that it's closed up shop.

~~~
Lorento
It sounds like they really did get hacked. Isn't the whole point of the
lawsuit that they were too insecure with sensitive information, and therefore
justifiable?

"Wallace said he tapped into LabMD's computers and pulled the medical records.
The cybersecurity firm then alerted LabMD it had been hacked."

~~~
netman21
Well, Tiversa scanned LimeWire for PII and found a file containing billing
records of patients on a PC belonging to LabMD. They copied the file and
eventually gave it to the FTC, apparently claiming they found it on multiple
computers on the LimeWire network.

------
jobu
Here's an older, but much more well-written article about this case:
[http://www.law360.com/articles/592866/tiversa-attacks-
labmd-...](http://www.law360.com/articles/592866/tiversa-attacks-labmd-
witness-claims-in-data-security-row)

Wallace (the whistleblower) claims that he created some false information that
Tiversa sent to the FTC. That article mentions some doubt about the previous
claims that the source of the leak was LimeWire, but doesn't give an alternate
source.

------
curiously
jesus christ....

this fucking makes me lose faith in humanity.

how can they get away with this? this is like mafia and the government joining
forces to fuck over hard working folks.

everyday America is going down the shit drain. spying on it's own citizens,
allies, friends, secret CIA torture sites, police brutality & militrization,
Monsanto, Dow Jones Chemical, Facebook, the list goes on.

~~~
tptacek
Someday a real rain will come and wash all this scum off the streets.

~~~
AlexandrB
That's wishful thinking. The only way things change is if someone wants them
to change and fights for it to happen. That means it's a slow, laborious
process for the most part.

