In a case that raises serious ethical and legal issues, a U.S. cybersecurity firm is accused by a former employee, now a whistle blower, of manipulating leaked data belonging to current and potential clients in order to sell them security services.

The alleged illegal actions

Last week, Richard Wallace, a former employee of Tiversa, claimed in court in Washington D.C. that the company would routinely manipulate leaked data belonging to prospective clients to motivate them to purchase the cybersecurity firm's services. It is alleged that the company would find data that had leaked from a company then make a sales call to the company to offer security services to fix the problems it had just found and/or fabricated. For example, in court testimony, Wallace describes how he would manipulate stolen files to make them appear to be in the hands of known criminals when in fact they were stored on Tiversa's servers.

According to ESET security researcher Stephen Cobb, "Obviously, if these allegations are substantiated, they will be seen as some of the most egregious violations of professional ethics that the security industry has ever seen; but we do need to bear in mind that these proceedings are still ongoing and nothing is yet proven."

This has all come to a head because a cancer testing laboratory, LabMD, has accused the cybersecurity firm, Tiversa, of stealing client data back in 2010. It is alleged that Tiversa then claimed that the stolen data was being shared by known identity thieves. When the lab refused to buy the security firm's services it threatened to report the lab to the FTC (Federal Trade Commission) for not securing their records properly. This is ultimately what happened, allegedly leading to the medical facility's ultimate bankruptcy, according to a report in The Register.

As CNN Money puts it, the FTC gave LabMD a choice: "sign a consent decree (basically a plea deal which means years of audits and a nasty public statement) or fight in court." Given that a plea deal would damage the reputation of the business, LabMD took the latter option. This initial court case was lost, but following the release of a book about the case, a government watchdog, Cause of Action, has taken up the matter to pursue it further.

The CEO of Tiversa, which has close ties to law enforcement and features several prominent privacy and security experts on its board, has hit back against the allegations, telling CNN Money, "This is an overblown case of a terminated employee seeking revenge."

Ethical and legal implications

The case continues and, according to Cobb, who analyzed the court transcript for We Live Security, it raises very serious questions: "Accurately attributing actions committed in cyberspace based on digital forensics is notoriously difficult and that hampers law enforcement's ability to identify and prosecute cyber criminals, but in this case the whistle-blower is asserting inside knowledge of what took place, and that appears to be, as he describes it, deeply unethical behavior conducted at the request of company management."

"This is not forensic attribution, this is the person who committed the act testifying to that effect, and that's what law typically enforcement calls a confession," says Cobb, adding, "Normally a confession carries a lot of weight with law enforcement, but in this case the law enforcer is the FTC, and they are not going to look good if these allegations are substantiated." Cobb notes that former Tiversa employee Rick Wallace was granted criminal immunity ahead of his testimony last week, something that the Department of Justice does not do lightly.

According to Cobb, the broader issue highlighted by this case is trust in security vendors and security professionals: "To be an effective provider of security services you need the complete trust and confidence of your clients, something that security vendors work hard to earn and retain." Cobb says that when vendors use sales tactics that undermine client trust and confidence they hurt not only themselves but they also damage the security industry as a whole and, by implication, make the security of everyone's information that bit harder to ensure.

"The last thing the world needs need right now, in the midst of unprecedented levels of global cybercrime, is to find ethically-challenged security vendors in our midst," says Cobb, who cautions: "We are dealing with allegations at this point, not guilty verdicts, but the case will be followed closely by many in the industry."