Enlarge/ Orion Hindawi, co-founder and chief technology officer of Tanium Inc. (credit: Getty Images/Bloomberg)
Following a report by The Wall Street Journal that the security vendor Tanium used a hospital's live network as a demonstration platform on sales calls and even revealed private hospital data in a publicly posted demonstration video, Tanium CEO Orion Hindawi has admitted that mistakes were made in handling data from El Camino Hospital's network. Hindawi was vague about whether the company had live access to the network, but in a blog post late yesterday, he said that the data was from "this particular customer's demo environment" and that Tanium did not—and should not—have remote access to customers' security data except in a very few cases where customers had granted access.
[Update, 3:30 pm EDT] Ars has learned from a source familiar with the installation that the company did, in fact, use a connection to El Camino Hospital's on-premises instance of the Tanium web console for demonstrations.The connection would have had to have been provided by El Camino's information technology staff—though it is not clear how far up in the hospital's administration that arrangement was approved, and the arrangement was apparently never documented. Since 2015—about the time Tanium lost access to the El Camino Hospital installation—Tanium has required that these sorts of arrangements be codified in writing.
"We do have a few customers who have agreed for us to use their environments for external demos and have provided that access to us," Hindawi wrote. "Since 2015, we’ve insisted that before a customer is willing to let us demo from their environment, regardless of the access they offer us, we document that in writing and agree on what data we can show to ensure there isn’t any confusion. Other than the few customers who have signed those documents and provided us remote access to their Tanium platforms, we do not—and in fact cannot—demonstrate customer environments with Tanium."