Saturday, July 18, 2009

Computer Code Theft At Goldman Sachs, UBS; Could UB Next?

Amid recent reports of stolen computer code relating to proprietary trading operations at Goldman Sachs and UBS, some have wondered if these are success stories (catching rogue employees), tales of fails (in the design or operation of controls), or some elements of both.

To recap, on Sunday, July 5, Reuters' Matt Goldstein* was the first to report on A Goldman Sachs Trading Scandal. (*Full disclosure: Reuters' Goldstein is married to Marian Raab, Managing Editor of FEI's Financial Executive Magazine.) Ryan Chittum wrote in The Columbia Journalism review's blog, The Audit, that Goldstein broke the story, adding: "According to a Factiva search, Reuters had the story all by its lonesome (in the mainstream press, anyway) for some seventeen hours. The New York Times, Wall Street Journal, and Financial Times all had no news of the scandal in their Monday editions."

As reported by Reuters' Goldstein in his July 5 article:

"While most in the United States were celebrating the Fourth of July holiday, a Russian immigrant living in New Jersey was being held on federal charges of stealing secret computer trading codes from a major New York-based financial institution. Authorities did not identify the firm, but sources say that institution is none other than Goldman Sachs. The charges, if proven, are significant because the codes that the accused, Sergey Aleynikov, tried to steal are the secret sauce to Goldman's automated stock and commodities trading business. Federal authorities contend the computer codes and related-trading files that Aleynikov uploaded to a German-based website help this major financial institution generate millions of dollars in profits each year."

In his follow-on story, To Catch a Rogue Quant (July 6), Goldstein provided a glimpse into Aleynikov's purported actions, and how they were detected:

"Goldman ...went to the Federal Bureau of Investigation after discovering that a former employee allegedly downloaded copies of the "source code" for the firm's stock trading system. Federal authorities say that a few weeks ago, Goldman began monitoring its computer network for illegal file transfers and it was during one of those electronic sweeps that the actions of Sergey Aleynikov, the former employee, were apparently detected."

More details of how the crime was allegedly committed can be found in Ex-Goldman Programmer Described Code Downloads to FBI (July 10) by Bloomberg's David Glovin and David Scheer:

"Aleynikov, 39, told the [FBI] agent about 1 a.m. on July 4 that he had logged into Goldman’s computers through remote access from his home and sent encrypted files to a repository server with the URL identifier svn.xp-dev.com...Xp-dev.com is run by London resident Roopinder Singh, who describes himself on a blog linked to the site as a trading systems developer working in London’s financial services industry. The site offers “subversion hosting,” letting users track current and previous versions of programming code and other documents. 'Everything happened all of a sudden,' Singh, 27, said today in an interview. The German Web hosting company
for his site removed it July 6 without explanation, he said. That night, agents from the U.K.’s Serious Organised Crime Agency visited his home, telling him stolen data was being erased from the site’s servers. Two days later, they told him the incident was linked to Goldman. His site reappeared after a 45-hour outage. "

Glovin and Scheer recount a colorful blog posting by Singh: “It turns out that some idiotic moron a user had uploaded data on to the service that he/she was not authorized to have,” Singh wrote to his customers in a blog posting yesterday, crossing out the words “some idiotic moron.” “This is your basic intellectual property theft case here.”

In his defense, Aleynikov claimed to have believed he was "only ... collecting 'open source' files" as noted in Ex-Goldman Employee Charged with Code Theft, by Joe Bel Bruno and Amir Efrati in wsj.com July 6.

The practice of downloading codes is not that unusual, according to Michael Osinski's July 16 OpEd in the New York Times, Steal This Code. However, he argues it is the idea behind a code which can be of the most value to a competitor, not the actual code itself.

Potential Impact on Goldman? Citadel?
As to the potential impact on Goldman Sachs from this incident, Assistant U.S. Attorney Joseph Facciponti argued in court, as noted in Goldman May Lose Millions From Ex-Worker’s Code Theft, (July 7) by Bloomberg's David Glovin, Christine Harper and Saijel Kishan:


Goldman Sachs stands to lose if its trading technology leaks out, Facciponti told the judge. "Once it is out there, anybody will be able to use this, and their market share will be adversely affected.”
Others have speculated on what the impact may be on Goldman. The Bloomberg article above adds:
"Someone stealing that code is basically stealing the way that Goldman Sachs makes money in the equity marketplace,” said Larry Tabb, founder of TABB Group, a financial-market research and advisory firm. 'The more sophisticated market makers -- and Goldman is one of them -- spend significant amounts of money developing software that’s extremely fast and can analyze different execution strategies so they can be the first one to make a decision,” Tabb said. Someone could use the code “to implement the same strategies and maybe on certain stocks they can be faster and, in effect, take away money that would normally be Goldman’s,” Tabb said in a phone interview. 'The second thing that they can do is actually analyze the code so that they know what Goldman’s going to do before Goldman does it and kind of reverse-engineer Goldman’s strategies and make money basically at the expense of Goldman.”

Further speculation was included in NYT's Graham Bowley's article, Ex-Worker Said To Steal Goldman Code:


"Peter Niculescu, a partner at Capital Market Risk Advisors, an advisory firm specializing in risk management and capital markets, said computerized trading had become increasingly important drivers of revenue growth within banks over the last 10 years. But he said stealing a bank’s trading code did not necessarily guarantee riches, because running it somewhere else was not easy without, for example, a bank’s databases or links to customers. “If you have the code, but not the database then it is of limited value,” he told The Times. “It is not easy to transfer the code and run it somewhere else.” ... Mr. Schneier [Bruce Schneier, the chief security technology officer for British Telecom, referenced elsewhere in the article] said, “It is certainly possible that if you knew what the big guys were doing you could anticipate it and make money.” He said that if a rival bank in the United States had been approached to buy the software, it would most likely have called the police, but a seller might have had better luck abroad. “It is worth a lot less in the U.S. than you might think, but in countries that are more lawless it could have value,” he said."
On the day of their earnings release, Goldman Sachs made its first public statement relating to the code theft. As reported by Steve Eder in Reuters DealZone Goldman Sachs Breaks Silence on Alleged Code Theft (July 14) Goldman's CFO, David Viniar, said any losses arising from the theft of the computer codes would be "very, very immaterial".

“We still have all of the code,” Viniar said. “It is not like the code had been lost to Goldman Sachs. And even if it had been, it is a small piece of our business.” A federal prosecutor last week during a bail hearing for Aleynikov made it sound as though the code was of vital importance. 'It is something which they had spent millions upon millions of dollars in developing over the past number of years and it’s something which provides them with many millions of dollars of revenue throughout this time,' [Assistant U.S. Attorney] Joseph Facciponti said, according to a court transcript."

Soon after news hit that ex-Goldman employee Aleynikov's new employer was Chicago firm Teza Technologies (founded by ex-employees of Citadel Investment Group), NYT Dealbook, edited by Andrew Ross Sorkin, reported After Goldman, Citadel Files Its Own Espionage Suit:
"Chicago-based Citadel, founded by 40-year-old billionaire Kenneth C. Griffin,
said in a lawsuit filed Thursday that Mikhail Malyshev, 40, and two other former
employees had violated their noncompete clauses by starting their own firm, Teza
Technologies.

“This is a case of industrial espionage,' Citadel said in a complaint filed Thursday in Illinois state court in Chicago. ...'Defendants’ activities, particularly Teza’s decision to hire Aleynikov, an accused software thief, create a substantial risk that they have stolen, or may be planning to steal, Citadel’s proprietary code,' the hedge fund firm said in court papers.
Here's the kicker with respect to Citadel, as told in NYT Dealbook:


"If the information were obtained by someone else, the company, which has often been compared with Goldman Sachs for its trading prowess, said it would suffer irreparable harm."
UBS Discloses Earlier Theft
Goldman Sachs is not the only major financial services firm recently hit with theft of computer code. Katherine Heires reported in Securities Industry News earlier this week in UBS Charges 3 Ex-Employees with Code Theft:
"Swiss bank UBS AG confirmed Monday that it filed papers in March charging three ex-employees with “misappropriation of trade secrets.” The “misappropriation” included 25,000 lines of source code used in UBS’s “trade secret algorithmic trading programs,” according to documents submitted with the New York State Supreme Court." She continues: "The bank is charging three former employees in the firm’s algorithmic trading group of having “collectively coordinated and planned together” to move to new jobs at New York-based Jefferies & Company while still technically in the employee of UBS, taking with them UBS trade secrets, breaching their employment contracts and fiduciary duties and resulting in unfair competition."
Potential For Market Manipulation?
A separate thread to this story received some major attention when Bloomberg's Jonathan Weil focused on some of AUSA Facciponti's remarks in court as to a potential broader threat to the markets that could arise if there were misuse of Goldman's stolen code.


Weil raised the question of whether this meant Goldman itself could manipulate the markets using the code, as stated in his July 9 article Goldman Sachs Loses Grip on Its Doomsday Machine:

"It wasn’t just Goldman that faced imminent harm if Aleynikov were to be released, Assistant U.S. Attorney Joseph Facciponti told a federal magistrate judge at his July 4 bail hearing in New York. The 34-year-old prosecutor also dropped this bombshell: “The bank has raised the possibility that there is a danger that somebody who knew how to use this program could use it to manipulate markets in unfair ways.” How could somebody do this? The precise answer isn’t obvious -- we’re talking about a black-box trading system here. And Facciponti didn’t elaborate. You don’t need a Goldman Sachs doomsday machine to manipulate markets, of course. A false rumor expertly planted using an ordinary telephone often will do just fine. In any event, the judge rejected Facciponti’s argument that Aleynikov posed a danger to the community, and ruled he could go free on $750,000 bail. He was released July 6. All this leaves us to wonder: Did Goldman really tell the government its high-speed, igh-volume, algorithmic-trading program can be used to manipulate markets in unfair ways, as Facciponti said? And shouldn’t Goldman’s bosses be worried this revelation may cause lots of people to start hypothesizing aloud about whether Goldman itself might misuse this program?"

Weil concludes: "[I]t would be nice to see someone at Goldman go on the record to explain what’s stopping the world’s most powerful investment bank from using its trading program in unfair ways, too. Oh yes, and could the bank be a bit more careful about safeguarding its trading programs from now on? Hopefully the government is asking the same questions already.

Separately, the Gold Anti-Trust Action Committee (GATA) - described in wikipedia as "an organization dedicated to publicizing their belief that gold reserves in central banks are significantly overstated, and that the price of gold is manipulated by governments and large central banks" - cited a Bloomberg article in their July 8 press release: GATA Urges SEC, CFTC To Investigate Goldman Trading Program (GATA press release via Business Wire and AOL; the press release contains the full text of GATA's letter to the SEC and CFTC.)


Some would say the definitive article in the realm of conspiracy theory on Goldman Sachs is Matt Taibbi's article published in Rolling Stone Magazine earlier this month: The Great American Bubble Machine, in which Taibbi describes how "Goldman Sachs has engineered every major market manipulation since the Great Depression - and they're about to do it again."

Following the July 14 release of Goldman's second quarter earnings (including net revenues of $13.76 billion and net earnings of $3.44 billion for the quarter), Taibbi's article has received even more attention, as noted in Alan Kohler's July 15 post The Goldman Earnings Oasis published in Australia's Business Spectator; and closer to home, in John Carney's post in Clusterstock's Business Insider, OK, This Time Matt Taibbi Nails Goldman and the Bailout.

The Aleynikov Affair: A Story of Success (of Detection) or Failure (of Prevention)?
Some wonder if the Goldman-Aleynikov saga is a success story (of detection of a breach), a tale of a failure (of prevention), or if it contains some elements of both.

NYT's Graham Bowley, in Ex-Worker Said To Steal Goldman Code, noted:

"Bruce Schneier, the chief security technology officer for British Telecom and an expert on computer security, said this type of corporate crime — of a former employee leaving a company with data he should not have — occurred quite regularly. But he agreed that Goldman’s systems had worked well in stopping Mr. Aleynikov. 'This is an example of a system of detection and response working,' he said."

Former SEC Chairman Harvey Pitt had a more cautionary tone, as quoted by Bloomberg reporters Glovin, Harper and Kishan, in Goldman May Lose Millions From Ex-Worker’s Code Theft:

"Harvey Pitt, former chairman of the U.S. Securities and Exchange Commission, said proprietary electronic data poses significant risks for all financial firms. “This is a wake-up call to all financial institutions to review their security systems, not just with respect to trading codes, but with respect to all proprietary information,” said Pitt, now chief executive officer of consulting firm Kalorama Partners LLC in Washington. Goldman appeared to have taken some steps to prevent the theft of its code, Pitt
said. “The real question is whether, in light of this outrageous conduct on the part of one of its employees, it should have taken more steps.”

Emily Chasan and Phil Wahba of Reuters noted in Banks Struggle to Secure Trading Codes:

"Although code theft at big companies is rare, the industry has learned to protect against insiders even more than outsiders -- similar to the way a casino is threatened by employees who know the system.... The chance of theft without leaving a trace is remote," said Sang Lee, managing partner at Boston-based consultancy Aite Group. He said Goldman's Aleynikov was "literally leaving digital footprints."

Reuters writers Chasan and Wahba provide additional insights from experts, and reference the UBS incident as well, in which "Swiss bank UBS (UBSN.VX) filed a complaint against three employees in New York State Supreme Court, saying they had coordinated and planned to take trade secrets to a competitor, including "more than 25,000 physical lines of source code" for UBS' algorithm trading programs."

Could UB Next? Resources on Prevention/Detection Of Fraud

Intrigued by the Goldman story, I reached out to a number of professional associations and experts in the field of fraud prevention and detection and internal control, for any insights they could provide. Understandably, none could speak definitively about the Goldman Sachs or UBS situations, since most of the details as to facts and circumstances are not in the public domain. However, these experts provide some general advice relating to the generic situation that has been reported in the press, and you can find additional resources by visiting their websites.

Bruce Dorris, CPA, CFE, Program Director for the Association of Certified Fraud Examiners, and formerly an Assistant District Attorney in Louisiana, notes, “Based on the information available, there apparently was some monitoring of certain data transfers within Goldman Sachs that alerted those in charge. It demonstrates that looking for red flags that detect fraud occurring in an organization, even one as large as Goldman Sachs, is effective if specific controls are properly implemented and monitored. Many companies that the ACFE conducts training with have control measures in place, that monitor not only the large amounts of data transmitted to and from its servers, but even down to the small thumb drives inserted in a desktop machine. In addition, security measures like restricted access enable fraud examiners to pinpoint any breach more quickly by isolating the investigation to a certain group if data transfers exceed preset limits, and then determining why the action took place. This is especially important in businesses that have tremendous investment in intellectual property, such as Goldman Sachs.”

Heriot Prentice, the Director of Practices and Guidance at the Institute of Internal Auditors, said, “Strong security controls should be able to prevent employees from stealing data or code, but this is becoming more challenging with the rapid advancements in technology storage units such as small USB devices that can store vast volumes of data.” Prentice continued, “When it comes down to it, just as with any type of fraud, this is an ethical behavior issue and starts with developing an appropriate organizational culture through hiring practices and establishing an authentic tone at the top. Organizations should clearly communicate to its employees its privacy policies and the legal ramifications should they choose to ignore them. Some organizations have even taken steps to control highly sensitive areas by conducting regular searches of employees to ensure they’re not taking proprietary information.”

Trent Gazzaway, Managing Partner of Public Policy and Corporate Governance at Grant Thornton LLP (and project leader on COSO’s guidance on Monitoring Internal Control Systems) observes, “This case demonstrates that the value of effective internal control and monitoring extends beyond financial reporting. Every organization faces internal and external business risks – including the risk of theft of mission-critical intellectual property. It is incumbent upon management and the board to determine what risks are meaningful to the organization’s objectives, implement effective controls to manage or mitigate those risks and then monitor the internal control system to obtain assurance that the controls continue to remain effective.

Kent Anderson, CISM, a member of the Security Management Committee of ISACA (formerly known as the Information Systems Audit and Control Association) said, “It can be difficult to prevent trusted insiders from wrongdoing, especially since the controls that many companies have in place are directed primarily at outsiders.” He added, “The key to successful internal controls is the ability to first detect unusual activity and then react properly through timely investigations and actions. Some critical controls include background checks and segregation of duties for critical processes. Organizations must understand what their mission-critical assets and processes are, and to do this, they must conduct threat and risk-assessments to help them develop and apply effective controls.” ISACA conducted a survey on risky IT behavior in the workplace in late 2007. Among the findings, more than one-third (35%) of respondents have violated their company's IT policies at least once and nearly one-sixth (15%) have used peer-to-peer file-sharing at least once at their place of business, opening the door to security breaches and placing sensitive business and personal information at risk.

If you are a new visitor to the FEI blog, we encourage you to visit us again on the web at http://financialexecutives.blogspot.com/ , or follow us on Twitter at http://twitter.com/feiblog . You can also sign up to receive emails of our blog posts by sending an email to blogs@financialexecutives.org and write in Subject line: Sign Up. We also welcome comments to be posted on the blog.



Print this post

9 comments:

Steven said...

wow! thanks for another great blog post!

Steven said...

I recently came across your blog and have been reading along. I thought I would leave my first comment. I dont know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.


Deborah

http://maternitymotherhood.net

Printer ink cartridges said...

The most simple, informative, and complete blog post I've ever read.

cheap computers said...

Its pretty interesting and informative.

itsolusenz said...

Hi! Your blog is simply super. you have create a differentiate. Thanks for the sharing this website. it is very useful professional knowledge. Great idea you know about company background.
Customized application development

Anonymous said...

http://www.kanonehelal.blogfa.com

Anonymous said...

iranian red cross

www.kanonehelal.blogfa.com

shopping cart said...

Actually informative for the programmer which predict different ideas.

eddz1949 said...

This is hilarious! Many people assume that the crime came about due to the Internet.

The fact is, identity theft has been around for probably as long as there have been identities to steal.

These fraudulent people never chooses any time and place as long as they can take advantage from others for their own profits.