Lizette Chapman and Sarah McBride (Bloomberg) — The head of Tanium Inc. apologized for being “hard-edged” and for exposing a hospital’s computer network during sales pitches — the executive’s first public statement following a Bloomberg News report last week of turmoil at the cybersecurity startup.
Past and current employees described abusive behavior by Tanium’s Chief Executive Officer Orion Hindawi that led to an exodus of top executives, culminating with the departure last month of Chief Financial Officer Eric Brown.
“It is true that I personally can be hard-edged, and that I’ve had to apologize to people at Tanium when I’ve gotten too sharp at times,” Hindawi wrote in a blog late Wednesday. “And it is true that as we’ve grown, we haven’t matured processes in some areas as quickly as we’ve added people, which is something we’re working hard to build faster. These are in fact all things we need to work on, and we’re doing so every day.”
Last valued at $3.5 billion, Emeryville-based Tanium is one of venture capital firm Andreessen Horowitz’s largest bets. Hindawi, who succeeded his father and co-founder David Hindawi as CEO last year, is laying plans for an initial public offering.
Tanium’s software sends a signal to devices connected to corporate networks. It asks what software is running, the date of the last security patch and other questions — a digital conversation that each device then asks other devices on the network. The result is swift visibility into what is connected and what is most vulnerable. The company says it can get full network visibility in 15 seconds.
When pitching this technology to potential customers, Tanium salespeople used the internal corporate network of Silicon Valley-based El Camino Hospital for live demos. This was done without the hospital’s permission or knowledge, and the hospital’s identity was sometimes shared with the audience, according to people who presented or attended the demos. The Wall Street Journal earlier reported the practice.
“We take responsibility for mistakes in the use of this particular customer’s demo environment,” Orion Hindawi wrote in Wednesday’s blog. He didn’t identify the customer by name. “We should have done better anonymizing that customer’s data.” He said viewers didn’t connect the demo environment to the customer for years, and that he does not believe Tanium put the customer at risk.
While he noted that some customers have agreed to be used for demonstration purposes, he did not say whether El Camino Hospital had given its permission.
El Camino Hospital said it neither authorized nor knew Tanium was exposing its network to outsiders. The hospital was only recently made aware of the activity.
“El Camino Hospital is thoroughly investigating this matter and takes the responsibility to maintain the integrity of its systems very seriously,” a spokeswoman said. “It is important to note that Tanium never had access to patient information and, based on our review to date, patient information remains secure.”
During hundreds of live demos, the hospital was sometimes identified by name and sometimes referred to as an unnamed hospital, according to the people who presented or attended the demos. Audience members would sometimes request Tanium sales reps make a specific query which would then respond with information identifying the hospital by name and the computing device that was at that moment compromised, they added. They asked not to be identified talking about private presentations.
The demos, which revealed the hospital’s network names “ECHO” and “ECHO1”, frequently took place at the offices of Andreessen Horowitz. The VC firm prides itself on introducing portfolio companies to prospective customers. It regularly brings executives from established companies to what it calls its executive briefing center to listen to themed presentations by promising startups on subjects like finance or health care. Andreessen Horowitz declined to comment. Bloomberg LP was one of the venture firm’s early investors.
Hindawi would often present at such briefings, typically to chief information security officers and chief information officers, people who have attended the demos said. Tanium’s demos exposed the names of devices connected to the hospital’s network, along with closely guarded information, such as which computers were not patched with software upgrades, people who presented or sat in on the demos told Bloomberg.
By revealing weaknesses in El Camino Hospital’s IT architecture, Tanium may have violated federal and California state laws, including the Computer Fraud and Abuse Act and the California Comprehensive Computer Data Access and Fraud Act, said Daniel Appelman, a partner at law firm Montgomery & Hansen LLP.
“Certainly, it’s bad business practice,” Appelman said. “It sounds insane.”
In addition, the hospital may have run afoul of laws that mandate adequate cybersecurity measures, he added. The Federal Trade Commission has investigated and sanctioned companies for weak cybersecurity, and on the state level, the California Attorney General can sue companies that don’t comply with state law, Appelman said. El Camino Hospital didn’t immediately respond to questions about its potential legal liability.
Tanium’s live demos typically began with a disclaimer that the hospital had given permission for its IT environment to be shared in exchange for free services from the startup.
El Camino Hospital was used as a live case study from at least 2014, said several people familiar with the matter.
Hindawi had a master account and personally resolved problems with the hospital’s network, according to the people familiar with the situation.