When a company needs to validate their own security, they hire a company to perform a penetration test (or pen test for short) to test it by hacking in. Which I think we can all agree, sounds like a really cool job.
A new court filing says the software pen testing company, Pen Dat SaaS, is being sued by one of their clients, Record Me A.I., for doing more than checking the backdoors. Record Me A.I. is alleging Pen Dat SaaS modified their environment during a recent engagement, and states this erodes customer trust in their A.I. platform that records everything you do, all-day, every-day.
Already under fire for a recent breach which released recordings of all its customers placing orders at McDonald's restaurants, Record Me A.I. has tried to spin the breach by releasing interesting statistics they have compiled. Apparently 16% of people get angry the McRib is seasonal, 46% of people who order Happy Meals don't have children, and 99% of ice cream machines never work.
Jim Stove, a representative of Record Me A.I. said in a statement today, "We had a clear contract. They document a few security vulnerabilities they may find, and report back to us. We record audio and video of every aspect of our customers' lives, and they need to trust us whether they're in a McDonald's drive-thru, or getting a prostate exam. They can't do that if some company was making changes to our system. The purpose of the pen test was to let us know what to fix. And then we can contract out the work to the lowest bidder."
Modifying a customer environment is a big no-no. We reached out to Pen Dat SaaS to ask why they would make changes to a customer environment, and received the following statement. "We got into every system on day one, which is supposed to just be recon. In some cases, it wasn't even on purpose. Systems with no auth, systems where the username/password was "admin", so many services built on Node 4. Node 4! That stopped getting updates in 2018! 6 years before Record Me A.I. was created. I wanted to stop the pen test there and just write 'You're Fucked' 2,000 times, but my manager advised against it. We realized it would be less work for us to update their systems, so we could document less. And when we saw half the unit tests in their customer facing web app were failing, we felt fixing the code would just be the right thing to do. Like flipping a turtle right side up. We're confident a judge will agree with us on this case."
At this point we have to agree that Pen Dat SaaS did the right thing when they chose not to leave a mess. The lawsuit is in the early stages and can change at any time. We will be following the story as it develops.