Tanium CEO apologizes for exposing hospital network in sales events

(Bloomberg) -- The head of Tanium has apologized in a company blog for exposing a hospital's computer network during sales pitches.

When pitching its security technology to potential customers, Tanium sales staff used the internal corporate network of Silicon Valley-based El Camino Hospital for live demos without the hospital's permission or knowledge, and the hospital's identity was sometimes shared with the audience, according to people who presented or attended the demos. The Wall Street Journal reported the practice on Wednesday.

"We take responsibility for mistakes in the use of this particular customer’s demo environment," wrote Orion Hindawi, Tanium’s chief executive officer, wrote Wednesday in a blog. He didn't identify the customer by name. "We should have done better anonymizing that customer’s data." He said viewers didn't connect the demo environment to the customer for years, and that he does not believe Tanium put the customer at risk.

Tanium's software sends a signal to devices connected to corporate networks. It asks what software is running, the date of the last security patch and other questions—a digital conversation that each device then asks other devices on the network. The result is swift visibility into what is connected and what is most vulnerable. The company says it can get full network visibility in 15 seconds.

While he noted that some customers have agreed to be used for demonstration purposes, he did not say whether El Camino Hospital had given its permission.

A spokeswoman from El Camino Hospital said it only recently learned of Tanium’s tactics and neither authorized nor knew Tanium was exposing its network to outsiders.

“El Camino Hospital is thoroughly investigating this matter and takes the responsibility to maintain the integrity of its systems very seriously,” the spokeswoman said. “It is important to note that Tanium never had access to patient information and, based on our review to date, patient information remains secure.”

During hundreds of live demos, the hospital was sometimes identified by name and sometimes referred to as an unnamed hospital, according to the people who presented or attended the demos. Audience members in sales presentations would sometimes request Tanium sales reps make a specific query, which would then respond with information identifying the hospital by name and the computing device that was compromised at that moment, they added. They asked not to be identified talking about private presentations.

Hindawi would often present at such briefings, typically to chief information security officers and chief information officers, people who have attended the demos said. Tanium's demos exposed the names of devices connected to the hospital's network, along with closely guarded information, such as which computers were not patched with software upgrades, people who presented or attended the demos told Bloomberg.

By revealing weaknesses in El Camino Hospital's IT architecture, Tanium may have violated federal and California state laws, including the Computer Fraud and Abuse Act and the California Comprehensive Computer Data Access and Fraud Act, said Daniel Appelman, a partner at law firm Montgomery & Hansen LLP.

"Certainly, it's bad business practice," Appelman said. "It sounds insane."

In addition, the hospital may have run afoul of laws that mandate adequate cybersecurity measures, he added. The Federal Trade Commission has investigated and sanctioned companies for weak cybersecurity, and on the state level, the California Attorney General can sue companies that don't comply with state law, Appelman said. El Camino Hospital didn't immediately respond to questions about its potential legal liability.

Tanium's live demos typically began with a disclaimer that the hospital had given permission for its IT environment to be shared in exchange for free services from the startup.

El Camino Hospital was used as a live case study from at least 2014, said several people familiar with the matter.

Hindawi had a master account and personally resolved problems with the hospital's network, according to the people familiar with the situation.

Other reports of turmoil have surfaced at Tanium in recent days. Past and current employees described abusive behavior by Hindawi that led to an exodus of top executives, culminating with the departure last month of Chief Financial Officer Eric Brown.

"It is true that I personally can be hard-edged, and that I’ve had to apologize to people at Tanium when I’ve gotten too sharp at times," Hindawi wrote in a blog late Wednesday. "And it is true that as we’ve grown, we haven’t matured processes in some areas as quickly as we’ve added people, which is something we’re working hard to build faster."

Last valued at $3.5 billion, Emeryville-based Tanium is planning an initial public offering.

For reprint and licensing requests for this article, click here.