'We should have done better' – the feeble words of a CEO caught using real hospital IT in infosec product demos
Understatement of the month: 'Mistakes were made'
The CEO of computer security biz Tanium has admitted his staff logged into hospital networks and accessed live IT systems during product demos with potential customers.
Since 2014 Tanium sales executives have used healthcare systems at the El Camino Hospital in Mountain View, California, to demonstrate their endpoint protection software. The hospital had not given permission for its computers and data to be used in this way.
"We take responsibility for mistakes in the use of this particular customer's demo environment. We should have done better anonymizing that customer's data," said Tanium boss Orion Hindawi confessed on Thursday.
"Viewers didn't connect the demo environment to that customer for years, and we do not believe we ever put our customer at risk with the data we showed. Looking at those demos, we see there are easy things we should have done to obscure and anonymize further."
A spokesperson for El Camino hospital told The Register "no patient data or personally identifying information was accessed by Tanium."
And a representative at Tanium added:
Tanium did not expose any hospital records or patient data. We should have done better anonymizing that customer’s data but we do not believe we ever put our customer at risk with the data we showed.
Tanium's software can quickly scan networks to build maps of endpoints and list which applications and services are running. Administrators can search the maps for particular machines, and gain remote control of the boxes.
Hindawi said that since 2015, his biz has always explicitly asked its customers if it could use their data and IT gear in demonstrations, and has obtained written consent. Only a few customers are willing to do this, and Tanium – based in Emeryville, California – is fine with that, the chief exec said.
While hammering away at his keyboard today, the errant CEO took time to savage some of the press coverage his organization has received over the past few weeks. There have been reports of turmoil in Tanium, with nine senior executives leaving in the last eight months; tales of staff being fired just before their stock options vested; and insulted staff being called stupid or fat.
"It is true that I personally can be hard-edged, and that I've had to apologize to people at Tanium when I've gotten too sharp at times," Hindawi said.
"It is true that we fire people when they don't meet our ethical or performance standards, and we understand that from the outside that may raise questions about the number of people leaving. What is not true is that we have a toxic culture. Mission-oriented, hard-charging, disciplined, even intense, but not toxic."
It's not clear what effect, if any, these allegations will have on Tanium's plans for an IPO. The privately held family-owned firm is VC funded and has a valuation of around $3.5bn, and that figure is unlikely to fall unless customers start fleeing. ®
Sponsored: Becoming a Pragmatic Security Leader