Americas

  • United States

Data center provider fakes Tier 4 data center certificate to bag $11M SEC deal

News
Oct 17, 20247 mins
Data Center

Deepak Jain used a fictitious company named Uptime Council to issue his data center a Tier 4 certification.

Data Center Male Administrator Using Laptop Computer. Maintenance Specialis working in Cloud Computing Facility on Cyber Security and Network Protection. Server Farm Analytics. Medium Wide
Credit: Gorodenkoff / Shutterstock

Deepak Jain, CEO of a Maryland-based IT services firm, has been indicted for fraud and making false statements after allegedly falsifying a Tier 4 data center certification to secure a $10.7 million contract with the US Securities and Exchange Commission (SEC).

The charges, filed by the US Department of Justice (DOJ) and made public on Wednesday, claim that Jain and his co-conspirators deceived the SEC by creating a fictitious certifier, “Uptime Council,” to falsely verify his firm’s data center as meeting the highest reliability standards.

The Tier 4 data center certificates are awarded by Uptime Institute and not “Uptime Council.”

“Deepak Jain and his company performed fully under the SEC contract. There is no evidence that any data was lost or compromised in any way. Mr. Jain is an innocent man who looks forward to confronting these charges at trial,” Deepak Jain’s counsel Steven McCool said in a statement.

According to the indictment, Jain’s firm provided fraudulent certification documents during contract negotiations in 2011, claiming that their Beltsville, Maryland, data center met Tier 4 standards, which require 99.995% uptime and advanced resilience features. This certification was key to securing the contract with the SEC, as the Commission required a Tier 4 facility for its colocation services​.

“Deepak Jain, 49, of Potomac, was the CEO of an information technology services company (referred to in the indictment as Company A) that provided data center services to customers, including the SEC,” the US DOJ said in a statement. “From 2012 through 2018, the SEC paid Company A approximately $10.7 million for the use of Company A’s data center in Beltsville, Maryland.”

Though the statement did not specify the company where Jain was the CEO or for which data center Jain furnished the fake Tier 4 certificate to SEC, a Beltsville, Maryland-based company AiNET has its founder and CEO named Deepak Jain as per a Crunchbase profile. His LinkedIn profile also says Jain is the founder of AiNET and claims the company’s data centers are Tier 4 certified.

Another news report dated 2016 shows Jain as the Founder and CEO of AiNET, which “designs, constructs, operates, and supports Internet data centers, optical fiber networks, and easy-to-understand cloud solutions. AiNET owns and operates certified Tier 4 data centers, the highest level of data center reliability.” The same report shows the company’s customers include “The Department of Defense, the Department of Labor, Securities and Exchange Commission.”

Queries to AiNET, however, did not elicit any response.

Jain is charged with six counts of major fraud against the United States and one count of making false statements.

“If convicted, he faces a maximum penalty of 10 years in prison on each count of major fraud and a maximum penalty of five years in prison on the making false statements count,” the statement added.

Allegations of fraud and security risks

The indictment details that the fraudulent certification, combined with misleading claims about the facility’s capabilities, led the SEC to award Jain’s company the contract in 2012.

“Jain orchestrated a years-long scheme to defraud the SEC by falsely certifying that his company’s data center met the highest rating level, when the actual rating did not satisfy the SEC contract,” Nicole M Argentieri, the head of the DOJ’s criminal division, said in the statement.

The scheme allegedly put the SEC’s data security and operational integrity at risk. “Yesterday’s charges make clear that the Criminal Division will not tolerate fraud schemes that threaten the security of the government’s electronic data,” Argentieri added.

The SEC, the DOJ statement added, experienced several issues with Jain’s data center, including problems with security, cooling, and power. These were the very aspects the fraudulent Tier 4 certification was supposed to guarantee​.

The indictment further alleges that Jain invented the “Uptime Council,” the entity that supposedly provided the Tier 4 certification. However, the certifier did not exist, and court documents suggest that Jain’s firm took deliberate steps to conceal the data center’s deficiencies during an inspection requested by the SEC.

An employee at Jain’s company reportedly prevented SEC representatives from viewing critical infrastructure that would have exposed the data center’s inability to meet Tier 4 standards, the court document shows.

Despite growing concerns, the SEC only terminated its relationship with the data center after the contract expired in 2018. By then, the Commission had spent $10.7 million on the contract​.

Impact on vendor trust and certification verification

This case highlights the vulnerabilities that organizations face when relying on third-party certifications. The fraudulent certification raises serious concerns for CIOs and IT leaders who depend on certified data centers to ensure fault tolerance and security for critical data.

“With this episode, organizations will have to go deeper to verify the reported credentials, including certifications, of a new vendor on the block. A cursory check and balance on the name of the certifying authority will help to know the likely authenticity of the certification claim,” said Abhishek Gupta, CIO at leading Indian satellite broadcaster DishTV.

CIOs often rely on multiple sources when evaluating new data center partners. Client references, physical site visits, and informal validation through the CIO community are part of the process.

“Even today, IT leaders try to evaluate the actual performance of a new prospect before onboarding as a data center partner,” Gupta added. “While certifications are important for evaluating the level of fault tolerance, additional measures, such as verifying the certifying authority’s legitimacy, are likely to gain more importance​.”

“Tier certifications for data centers have long been used as a benchmark for reliability and resiliency,” said Saurabh Gugnani, director and head of cyber defense, IAM, and application security at Dutch professional services firm TMF Group.​ “However, if a certified datacenter fails to meet the promised levels of service or experiences a major outage, it could affect the credibility of these certifications.”

The certification authenticity forms a smaller part of overall final decision-making, said Gupta. According to him, this episode shouldn’t change the evaluation methodology. 

“Just that when things are not adding up, a healthy skepticism might arise about the veracity of certification claimed by a new vendor,” added Gupta. “In all such cases, CIOs will most likely show risk aversion and may choose not to go with a new DC partner on the block.”

The certification level of a data center helps CIOs evaluate the level of fault tolerance. “So it certainly matters in areas where security of data is of paramount importance,” Gupta said. 

Lax vetting and organizational risks

The indictment also points to possible lapses on the part of the SEC in verifying the authenticity of the Tier 4 certification before signing the contract.

“Such a scam can happen not without some laxity and collusion between the consumer and the vendor,” Gupta pointed out. “Wherever such compromise happens, due to whatever considerations, the best of vetting processes will fail.”

The creation of a fake certifying company by Jain’s firm underscores the importance of not only checking the certifications but also verifying the existence of the issuing authority.

“If the auditing process behind the Tier certification is called into question, it could diminish trust in the certification as a whole,” added Gugnani. He suggested that enterprises should consider third-party penetration testing and resiliency audits to verify the strength of a data center’s infrastructure before signing contracts.