Tag Archives: Insider theft

The Insider Threat – Goldman Sachs Edition

In a somewhat bizarre case, a Goldman Sachs programmer has been convicted for the second time of stealing software that he developed for Goldman (see Wired article).  The first conviction was overturned and the second may be nullified by the judge.

Sergey Aleynikov was convicted in 2011 on espionage and theft of trade secret charges.  He was accused of stealing the source code for Goldman’s high speed trading platform he helped develop prior to leaving for another firm.

The following year the conviction was reversed because the code is not physical property, according to the appeals court and so the theft statute he was charged under did not apply.

After the reversal, Sergey was released from prison after serving 1 year out of his original 8 year sentence.

Goldman, not being happy that the conviction was overturned, worked with the NY District Attorney and he was charged him under state law (the initial conviction was under Federal law) with “unlawful use of secret scientific material” and “unlawful duplication of computer related material”.  He was found guilty of the first charge and acquitted on the second.  I am not sure how that might work, but that was what the jury decided.

Sergey was earning $400,000 a year at Goldman when he decided to take a new job with Teza Technologies which would have paid him $1.2 million.

A few days before he left Goldman, he downloaded and encrypted code he had worked on and transferred it to a website hosted in Germany.  Then he erased the program he used to encrypt the files.  He also attempted to delete the log files showing his activity.  This does not seem to me like the activities of a person who thought what he was doing was legal.

His story was that he only intended to collect open source software.  According to his attorney, only 32 megabytes of the 1,224 megabytes of code he took was proprietary.  If true, that would tend to support his claim.

The appeals court said that because he did not assume physical control over anything when he took the source code, he did not deprive Goldman of its use, therefore he did not steal anything.

Apparently, the judge in the second case is skeptical of the conviction and may overturn it.  If that doesn’t happen, I assume Sergey will appeal it.

So what does all this mean?

To an employer concerned about insider threats,  it means that it is not limited to low-compensation employees and it is not limited to physical objects.  It also means that it is very difficult to actually obtain a conviction (this happened in 2009).

To an employee, it means that your actions may be viewed very differently by an employer than by you and even if you think what you are doing is legal, your employer may not agree.  And, if your employer disagrees with your interpretation, your life will be hell for a long, long time.

With Sergey earning almost half a million dollars a year and Goldman being pretty profitable, a LOT of money has been spent on this over the last 6 years.  AND, it is not over yet.

Also, the police did not find any of Goldman’s code on Teza’s computers, so it was not a cut and dried case of someone stealing code to take to his new job.

The scary part is that this is an easy case – they have the proverbial smoking gun and six years later it is not settled.  What about those cases where the employer never even found out about.

What this says is that the entire problem of insider theft is a pretty messy problem and it is not going to become any easier in your lifetime or mine.

The Insider Risk

In January Morgan Stanley caught one of it’s financial advisors, Galen Marsh,  after he stole data on 350,000 clients and someone posted part of it on the Internet.

This month a JPMorgan employee, Peter Persaud, was arrested for selling customer data to an undercover FBI snitch.

While both of these people were in the financial services world, insiders taking information is certainly not limited to that industry.

We hear stories all the time of sales people taking their Rolodex with them when they leave a company.

We hear stories of tech people taking code with them and to a lesser extent, taking customer lists.

The scary question is the part that we do not hear about.

In the case of Marsh (see WSJ article), he admitted to taking the data.  He did, however, claim that he did not post it online (where it was found), nor did he try and sell it.  The information which did appear on the Internet included names, account numbers, state of residence and asset values.  These were all high net worth clients, with balances in the hundreds of thousands to millions of dollars.  He had been an employee since 2008 .

In the other case, Persaud was paid $2,500 by an FBI snitch in exchange for information on an account with a $19,000 balance.  The snitch was supposed to pay him an additional $7,500 after he emptied the bank account.  Also also tried to sell information on 4 other accounts with a combined balance of $150,000.  (see Bloomberg article).

For every story that we hear about, where someone is discovered, arrested and prosecuted, there are thousands that we don’t know about.  In some cases, companies find out about it but choose not to prosecute because they do not want customers or investors to find out that the data that they entrusted the company with is not safe.  Not to pick on law firms, but they are a hot target, and there are few circumstances that require them to disclose breaches to their clients unless it contains health or credit information.

The questionS to ask yourself ARE this:

IF ONE OF MY EMPLOYEES WALKED OUT THE DOOR WITH MY CUSTOMER LIST, SALES DATA, TECHNICAL INFORMATION OR INVESTOR INFORMATION, WOULD I KNOW THAT THEY DID?

IF THEY SOLD IT ON THE DARK WEB, WOULD I KNOW?

For most companies, the answer is no.  Chase spends about $250 million a year on cyber security and after the loss of 75,000,000 client accounts to hackers late last year, CEO Jamie Dimon promised to double that to $500 million.

In most cases, internal controls are lose and employees would not trigger any alarms if they copied data.  After all, they are trusted – we hired them didn’t we?

A 2012 study found that almost half of the employees questioned would sell their corporate credentials for $150.  Whether half or $150 are exactly correct or not, the fact that any would sell it for a few hundred dollars speaks to the fact that employees don’t have much loyalty to companies who, they think, will show them the door if it is convenient to the company.

How much do you spend on cyber security?