Today, an article on TheRegister caught my eye. It was also reported on Bloomberg. Two ex-employees of a Wall Street trading company – Flow Traders – are facing criminal charges for leaking trading evaluation algorithms from their previous employer.
Now this is your typical information leakage story, where an employee steals company assets for personal gain. But here’s what’s truly astonishing.
Consider this quote:
“Vuu was charged with 20 counts of each offense, having emailed himself various materials related to Flow Traders’ trading strategies and valuation algorithms over the period from August 2011 to August 2012” (emphasis is mine).
Not only did the trading company have an insider active for a year, the charges and investigation of the story comes out only now – one year later. From the beginning of the data leakage to the point of prosecution, two full years have elapsed. Only recently has one of the offenders left the trading firm, reportedly in March 2013.
Here is another quote from one of the ex-employee’s lawyers:
“I’m confident that when the DA’s office has completed their investigation they will find Flow Traders did not suffer any economic loss.”
Let’s step back for a second.
It’s difficult to assess the damage that results from data theft. But the potential fallout is truly mind boggling. A trading firm’s evaluation algorithms are their most precious IP. They are the unique factor that measures and automates buy/sell decisions. A firm loses that – and it’s out of business, period. Two years is ample time to sell stolen information to the highest bidder and destroy a business.
Companies with employees at different levels who access IP must take precautions to ensure that data is monitored and audited. In today’s data-driven world, a company simply cannot afford a breach that goes unnoticed for two years.
Flow Traders may have dodged a bullet. But future companies may not be so lucky.
Barry Shteiman | Senior Security Strategist | Imperva
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.