who’s watching the watchers? in this case, nobody

Friday’s Wall Street Journal featured a page 1 article (unfortunately behind a subscription paywall – less detailed but free coverage here, but you can get the full WSJ article by searching Google News for “HSBC data theft”) on a massive theft of private banking client data from HSBC.  The thief was… wait for it… an HSBC infosec employee whose job it was to improve the security of the systems and databases holding that data.  Said employee then shopped the data around to a number of European tax authorities as well as to competing banks.  When the French police raided his parents’ home in France as part of the investigation into the theft, the data was turned over to the French tax people, resulting in collection of 1 billion euros from les tax evadeurs.  Now the French tax people are sharing this treasure trove of data with their colleagues in other countries, who also expect to collect lots of back taxes.

Of course, the guy at the center of this claims he was not in it for the money – he wanted to point out flaws in HSBC security or help catch tax evaders or was working for intelligence services.  (He can’t seem to decide on which story to go with…) In any event, he denies any illegal activity and stated that he copied the data to his personal computers and offsite servers as part of his normal work.  HSBC states that it is against company policy to copy such data to non HSBC computers.

The story is quite interesting and raises a number of questions for security pros, organizations and law enforcement (as well as folks who like to stash their cash out of sight of the tax man).

Is France’s use of the ill gotten data and it’s further distribution of what is in effect stolen property a legitimate tool for government authorities? While there is a social good in collecting these taxes from the rich tax evaders, is this benefit outweighed by the message it sends vis a vis the rule of law?

Why was this very sensitive data not protected by some sort of DLP solution or even just old fashioned auditing and log review on the database server? Someone looking at a log and seeing this guy perform SELECT * on a sensitive database was all that would have been needed to detect this crime.

Why did this employee even have access to this data? I can’t see how his job function (in a properly designed technical and procedural environment) required the ability to view and copy database information.  Changes and testing of security for that database should have been done in a separate QA environment using test data and then staged to production by another party.

My final question is one for the security community… Where does our fiduciary duty to our employers end and our responsibility as citizens start? In this case, I think that the HSBC employee was clearly in the wrong.  HSBC was offering a service to it’s clients which is perfectly legal under Swiss law.  The users of the service had a responsibility to report their income to their taxation authorities under the current regime.  If the employee had a problem with the world of private banking, he should have gotten into a new line of work rather than resorting to theft.  As for his claimed pure motives, I would have a lot less trouble believing him had he not shopped the data to competing banks.  I’d also point out that it would have been reasonable for him to expect some sort of renumeration from the tax authorities for his “aid” in collecting lost revenue.  His stories just don’t seem to add up.

It is important to note that this is not a problem unique to HSBC – the lapses that led to this data theft are extremely common across all industries.  Heck, even the US military has data stolen through loopholes in data protection policies (and Lady Gaga).

This case is a great learning opportunity for security and risk professionals – organizations need to remember that security personnel are human and need to have appropriate controls placed on their systems access as well.  In most organizations, the Internal Audit group can provide this oversight.  Smaller organizations may need to resort to periodic reviews of internal security by an external consultant.  In any case, make sure someone is watching the watchers!

Update 2010-07-10  2010 – Just noticed that US tax authorities are “ramping up” their investigation into whether HSBC marketed tax evasion services to US clients.  Now, if they did engage in this activity, shame on them.  However, if the allegations are found to be true, it still does not transform a data theft by a person in a position of trust.  Had the employee involved simply contacted authorities with his concerns, the data could have been gotten by the authorities.  And his shopping the data to competitors still sticks in my craw.

who’s watching the watchers? in this case, nobody

Leave a Reply