Tanium exposed hospital’s IT while using its network in sales demos

Enlarge / Orion Hindawi, co-founder and chief technology officer of Tanium Inc.

Information security company Tanium is a relatively well-established “next-generation” cybersecurity vendor that was founded 10 years ago—far ahead of the wave of the venture capital-funded newcomers, like Cylance, who have changed the security software space. (Tanium has reached a market valuation of more than $ 3 billion, though there are no indications of when it will make an initial public offering.)

Starting in 2012, Tanium apparently had a secret weapon to help it compete with the wave of newcomers, which the company’s executives used in sales demonstrations: a live customer network they could tap into for product demonstrations. There was just one problem: the customer didn’t know that Tanium was using its network. And since the customer was a hospital, the Tanium demos—which numbered in the hundreds between 2012 and 2015, according to a Wall Street Journal report—exposed live, sensitive information about the hospital’s IT systems. Until recently, some of that data was shown in publicly posted videos.

In 2010, Tanium’s software was installed at Allscripts Healthcare Solutions’ El Camino Hospital (which markets itself as “the hospital of Silicon Valley”) in Santa Clara County, California. The hospital no longer has a relationship with Tanium. While Tanium did not have access to patient data, the demos showed desktop and server management details that were not anonymized.