HSBC's Massive Breach Is Just The Latest Example Of Big Finance Getting Broadsided


Photo: AP

Today, HSBC’s Swiss private bank said 15,000 sets of confidential client data were stolen by a former IT staffer.The employee, Herve Falciani, tried to sell the information to Lebanese banks before fleeing to France, according to the Wall Street Journal.

Even if HSBC is right and the stolen data isn’t in bad hands, it was a very close call.

And it’s just another example of the danger posed to global finance by inside threats.

“Our research shows that malicious insiders have the access and opportunity to commit fraud, steal confidential information, and sabotage IT systems,” says Dawn Cappelli of Carnegie Mellon’s Computer Emergency Response Team. “These actions are very difficult to detect, since they typically perform the same types of actions they do in the course of doing their jobs, and only require the access they need to do their jobs everyday.”

But there’s much more than disgruntled insiders to disrupt financial markets and undermine consumer confidence. There are also numerous technical threats, like trading algorithms gone haywire, traders making billions of dollars in rogue transactions, or Russian cyber-gangs hacking into bank servers. Even a “fat finger” human error can send a stock tumbling.

See 10 Big Threats To Financial Markets >

Send a fake press release

Fake press releases are a relatively simple way to violently move a stock and undermine confidence in the markets.

The 2000 example of Emulex proves the point. Mark Jakob, a former employee of Internet Wire wanting to make money by shorting the company's stock, sent out a fake press release from Emulex, falsely stating there was an SEC investigation, the CEO had resigned, and that the company was revising and lowering its earnings.

Several news organisations republished the press release, and in a 16-minute period following the republication of the fake, 2.3 million shares of Emulex stock were traded and the price plummeted almost $61, from $103.94 to $43.00, resulting in Emulex losing $2.2 billion in market capitalisation.

Besides Emulex, other examples of stock-moving press releases include fakes of information from Lucent and PairGain.

Spread market rumours on IM

Likely the most common way to manipulate financial markets is the spreading of false rumours.

Instant messenger on platforms like AIM and Bloomberg can be used to cause selling or buying, which can then be exaggerated by computer algorithms at hedge funds and banks that automatically trade on pre-set market movements.

One recent example of instant messaging trouble comes from the Galleon Group insider trading investigation. One firm linked to the web of advance information was trading company Schottenfeld Group, which, as Reuters reported, has a history with illegal market whisperings.

In 2007, trader Paul Berliner used instant messenger to spread a false rumour to other brokers and hedge funds that Alliance Data's takeover by the Blackstone Group was being changed to $70 a share from $81.75 a share. He then shorted the stock for a profit, according to the SEC. Without admitting or denying the allegations of securities fraud and market manipulation, Berliner settled with the SEC, paying back the $26,129 in profits; a maximum $130,000 penalty; and barring him from association with any broker or dealer.

The increases in automated trading based on algorithms, or 'algos,' raises fears that one could be manipulated, setting off a market-moving chain reaction to other computers.

An intentional attack is unlikely because it would need to come from someone with inside access, as opposed to an Internet-based hack. Still, a recent unintentional error shows how quickly misbehaving 'algos' can affect the market.

Ars Technica has this helpful summary of a recent melt-down at Credit Suisse:

'On November 14, 2007 at 3:20pm one of Credit Suisse's trading algorithms suddenly went haywire, and, in a few moments, sent hundreds of thousands of bogus requests to the exchange. This sudden surge of requests, which were cancellations for a large batch of orders that the machine had never actually sent out, acted like a denial-of-service attack on some parts of the New York Stock Exchange. The messages clogged the tubes and caused parts of the exchange to freeze up, affecting trading in 975 stocks.'

NYSE fined Credit Suisse $150,000 for 'failing to adequately supervise the development, deployment and operation of a proprietary algorithm, including a failure to implement procedures to monitor certain modifications made to the algorithm.'

What's scary is what set off the problem: a trader's double click -- instead of a single one.

Release false economic data

Naturally, markets react to big government data releases, like the latest GDP or unemployment figures. What if someone got access and manipulated the numbers?

Government agencies like the Bureau of Economic Analysis makes it sound highly unlikely because of elaborate security protocols, but anything's possible. We don't know of a successful attack, but there have already been some real-life goofs, as Zero Hedge pointed out about this Federal Reserve data.

Plus, if Iraqi insurgents can hack U.S. drone video feeds with $26 off-the-shelf software, as they did in December, who knows.

Trade as multiple people

Another threat is making big trades using multiple online trading systems.

A small scale examples shows how, if multiplied, there could be real problems. In September 2009, 25-year-old Van Dinh (pictured) confessed to hacking into a New York-based currency exchange service and gifting himself more than $100,000.

According to the FBI (via Wired) Dinh 'set up a legitimate account with an online currency exchange service based in New York. Two weeks later, he logged in using an administrative password and added $55,000 to his account. The bureau says he added another $55,000 two days after that. At the same time, Dinh used his access to make currency trades on two other customer accounts, and then gave one of them $140,326.75.'

Steal code

This technique hasn't been used maliciously yet, but it has the potential to temporarily damage U.S. financial markets.

Sergey Aleynikov, a former Goldman Sachs computer programmer, allegedly stole proprietary source code for software used to make high-frequency trades at the bank.

Aleynikov claims he inadvertently downloaded only a snippet of code, which he never used. Goldman says the code he downloaded could undermine the company's entire investment in high frequency trades, which is estimated to be a $8 billion to $20 billion a year business.

Image: About-Knowledge

Make rogue trades

Sometimes, the biggest threat to banks and financial data doesn't come from hackers, but from rogue insiders who use company software for unauthorised financial plays.

Jérôme Kerviel, a Société Générale trader, falsified trades to conceal $73 billion in bets he made on risky futures markets, as Forbes summarizes. When the French bank, whose own market value isn't worth $73 billion, discovered the rogue trader's excessive positions in January 2008, the bank reportedly lost $7.36 billion. Kerviel's trial is pending for one of the decade's worst financial crimes.

Get into bank accounts

Sometimes, the exact method isn't known, but a Russian hacking group known as the 'Russian Business Network' may have struck at least one large international bank.

In December, the Wall Street Journal reported that the FBI was probing a computer-security breach, likely by Russian hackers, targeting Citibank that resulted in a theft of tens of millions of dollars. Citigroup was forceful in denying the report.

If the breach was real and similar threats remains, 'security officials worry that, beyond stealing money, hackers could try to manipulate or destroy data, wreaking havoc on the banking system. When intruders get into one bank, officials say, they may be able to blaze a trail into others,' notes the WSJ's report.

Hacking Into Bank Payrolls

In November, a ring of Estonia, Russian and Moldovan hackers were indicted by the Dept. of Justice in Atlanta on charges of hacking into a computer network operated by credit card processing company RBS WorldPay, a Royal Bank of Scotland division.

Authorities called it 'perhaps the most sophisticated and organised computer fraud attack ever conducted.'

According to prosecutors, the group allegedly used 'sophisticated hacking techniques to compromise the data encryption that was used by RBS WorldPay to protect customer data on payroll debit cards...Once the encryption on the card processing system was compromised, the hacking ring allegedly raised the account limits on compromised accounts, and then provided a network of 'cashers' with 44 counterfeit payroll debit cards, which were used to withdraw more than $9 million from more than 2,100 ATMs in at least 280 cities worldwide, including cities in the United States, Russia, Ukraine, Estonia, Italy, Hong Kong, Japan and Canada.'

The $9 million loss occurred within a span of less than 12 hours.

Image via Wired

NOW WATCH: Money & Markets videos

Want to read a more in-depth view on the trends influencing Australian business and the global economy? BI / Research is designed to help executives and industry leaders understand the major challenges and opportunities for industry, technology, strategy and the economy in the future. Sign up for free at