Palantir hired a cybersecurity firm last year to test its digital defenses. A confidential report shows how the pro hackers were able to dominate the tech company's network.

Fred Tanneau / AFP / Getty Images

Palantir Technologies has cultivated a reputation as perhaps the most formidable data analysis firm in Silicon Valley, doing secretive work for defense and intelligence agencies as well as Wall Street giants. But when Palantir hired professional hackers to test the security of its own information systems late last year, the hackers found gaping holes that left data about customers exposed. Palantir, valued at $20 billion, prides itself on an ability to guard important secrets, both its own and those entrusted to it by clients. But after being brought in to try to infiltrate these digital defenses, the cybersecurity firm Veris Group concluded that even a low-level breach would allow hackers to gain wide-ranging and privileged access to the Palantir network, likely leading to the “compromise of critical systems and sensitive data, including customer-specific information.” This conclusion was presented in a confidential report, reviewed by BuzzFeed News, that detailed the results of a hacking exercise run by Veris over three weeks in September and October last year. The report, submitted on October 19, has been closely guarded inside Palantir and is described publicly here for the first time. “Palantir Use Only” is plastered across each page. It is not known whether Palantir’s systems have ever been breached by real-world intruders. But the results of the hacking exercise — known as a “red team” test — show how a company widely thought to have superlative ability to safeguard data has struggled with its own data security. The red team intruders, finding that Palantir lacked crucial internal defenses, ultimately “had complete control of PAL’s domain,” the Veris report says, using an acronym for Palantir. The report recommended that Palantir “immediately” take specific steps to improve its data security. “The findings from the October 2015 report are old and have long since been resolved,” Lisa Gordon, a Palantir spokesperson, said in an emailed statement. “Our systems and our customers’ information were never at risk. As part of our best practices, we conduct regular reviews and tests of our systems, like every other technology company does.”

Martin Bureau / AFP / Getty Images

Virtually every company is vulnerable to hacks, to varying degrees. In recent years, red teams generally have had a high success rate in getting deep inside of companies’ networks, and they virtually always find at least some security flaws, according to an industry source. That Palantir did a red team exercise shows that it wanted to identify and repair any such flaws. The Veris report notes multiple strengths in Palantir’s defenses, including an “excellent” response by its security staff. “Regular red team testing is the industry standard of excellence in maintaining a proactive security posture,” David McGuire, the director of Veris’ adaptive threat division, which handles red team services, said in an emailed statement. “Since the red team exercise conducted in 2015, Palantir has consistently carried out similar exercises with Veris Group and other vendors on a regular basis.” Veris, a cybersecurity services and consulting firm based near Washington, DC, works with customers including Microsoft, AT&T, and the Department of Justice, according to its website. For Palantir, Veris staff acted as hackers to find out whether Palantir’s cybersecurity team could detect and stop them. The exercise was not meant to test whether Veris could breach Palantir’s external wall. Instead, the red team was deliberately let in, to simulate what would happen if a Palantir employee succumbed to a very common and highly effective break-in technique called “spear phishing” (in which staff are targeted with innocuous-seeming emails containing harmful links or files that give attackers access to a computer). But from that point on, the Veris team went into hacker mode, using a range of tricks to spread through Palantir’s cyber fortress, the report shows. That fortress turned out to have major vulnerabilities, and the Veris intruders soon sat themselves on the throne. In what the report calls a “complete compromise,” the intruders uncovered encryption keys and administrative credentials that allowed them to travel widely inside the network, accessing source code, office surveillance footage, and the internal wiki, which held sensitive data about customers and projects, according to the report. Beyond these secrets, the red team intruders accessed Palantir’s network equipment, which would have let them control the company’s internet connection if they so chose. They even found what appeared to be “access to customer infrastructure,” according to the report, or hardware powering customers’ information technology. The report says that any hacker who got this far would “possibly” be able to hack Palantir’s customers as well. Repeatedly, the red team intruders followed a straightforward process: Find credentials for a high-level account, and then use those credentials to ferret out additional credentials that conferred even more access. They were able to “position themselves in the network for long-term persistence,” the report says. In a sign of their deep access, the intruders created a software tunnel to smuggle data out to their own servers, without being detected for most of the exercise, according to the report. Their presence was finally discovered, the report says, after they broke into the laptops of information security employees — but even then, the intruders were able to monitor the employees’ countermoves in real time, shifting tactics to evade them.

Henry Miller News Picture Service / Getty Images

Palantir wasn’t totally defenseless, the report shows. Its network was segmented in a way that initially prevented the Veris intruders from moving very far, forcing them to take a riskier approach that increased their chances of being detected — though they managed to slip through without setting off any alarms. The company also made use of two-factor authentication, which at first “severely hampered” the intruders’ plans but ultimately just forced them, again, to use a more conspicuous strategy to gain access, according to the report. When Palantir’s information security employees finally discovered the intruders, they “provided a rapid network response in which they identified and mitigated” the “majority” of the red team’s actions within days, the report says. Compared with other large companies, this defensive response was unusually robust, the industry source said, based on a reading of the report. Started in part with CIA money, the 12-year-old Palantir has developed an aura of secrecy and potency that helps it recruit bright engineers and attract corporate clients. Its chairman is Peter Thiel, the widely admired venture capitalist and former PayPal CEO (who recently admitted to secretly funding a lawsuit brought by the wrestler Hulk Hogan against Gawker Media). Part software shop and part consulting firm, Palantir places its “forward deployed engineers” on-site at client offices and uses custom-tailored software to crunch vast amounts of data. Its customers include financial institutions, such as the giant hedge fund Bridgewater Associates, and government groups such as the military’s Special Operations Command. Palantir is the third most valuable American technology startup, behind only Uber and Airbnb. At the same time, Palantir has recently lost blue-chip clients, has struggled to stem staff departures, and has recorded 2015 revenue that was less than a quarter of its customer bookings, according to a BuzzFeed News report in early May. The report, based on a trove of internal documents and insider interviews, revealed that 102 employees had left Palantir this year through mid-April, or 5.8% of all staff.

Jacques Demarthon / AFP / Getty Images