While working on a project for the US Department of Defense, Clarifai, a New York–based AI startup had a server compromised.
Multiple news outlets reported that Clarifai was working on the Defense Department’s Project Maven when a server was reportedly compromised, adding that the company failed to report the news to the Pentagon. Amy Liu, a former marketing executive at Clarifai, alleged that she was released from her post after insisting that the company report the compromised server, Wired reported this week.
The company disputes reports that it was targeted by Russian actors. “Wired’s story includes a number of allegations, which we strongly dispute,” a Clarifai spokesperson wrote in an email. “First and foremost, the security incident as described in the article was inaccurate and does not reflect what occurred.”
In a 13 June blog post, Clarifai founder and CEO Matthew Zeiler emphasized that the company did not experience a security incident that put government – or other customer – information at risk. Rather, the company identified an untargeted bot last fall, which Zeiler said was on an isolated research server located at a Clarifai data center.
“We quickly contained the situation and, with the services of an independent security firm, determined the bot did not access any data, algorithms or code. Also, the research server is separate from the infrastructure on which Clarifai customers run. Government customers in particular do not utilize Clarifai’s infrastructure,” the blog said.
The company wrote that it takes information security very seriously, asserting that it voluntarily notified customers following a full assessment, which included an external audit and report by a security firm.
Because Project Maven has itself been deemed controversial, the spokesperson also noted, “We make sure our employees understand the projects they are asked to work on and regularly accommodate requests to switch or work on particular projects of interest. It is deeply frustrating and disappointing to see these false allegations about our company. At Clarifai, we are committed to building the best technology for human advancement and doing so with integrity.”
Clarifai maintains that the former employee was terminated for lawful, legitimate business reasons. Infosecurity Magazine contacted former marketing executive Amy Liu, who shared a redacted copy of the lawsuit filed against Clarifai, which claims that "on or about Tuesday, November 7, 2017, Clarifai discovered that its systems had been hacked by an individual (or entity) from Russia, or that was running an IP address through Russia. It quickly became apparent that the hacker or hackers may have accessed Clarifai’s co-located servers without much trouble. While engaged in this 'investigatory' work, it appears that the binary file on Clarifai’s co-located server was 'accidentally' deleted. This had the effect of wiping away some evidence of the cyber-breach."
"Ms. Liu was offered a choice to be immediately terminated, or to resign with six weeks of pay, on the condition that she sign a separation agreement, which included an agreement to not disclose the hack," lawsuit states.