Attacks/Breaches
9/15/2011
12:57 PM
Connect Directly
RSS
E-Mail
50%
50%

UBS Discloses $2 Billion In Unauthorized Trades

Three years after unauthorized trading at Societe Generale, incident suggests that banks have more governance, risk, and compliance work to do.

Swiss banking giant UBS disclosed Thursday that it had lost $2 billion due to unauthorized trading, and British police arrested the suspected trader on fraud charges.

"UBS has discovered a loss due to unauthorized trading by a trader in its investment bank. The matter is still being investigated, but UBS's current estimate of the loss on the trades is in the range of $2 billion. It is possible that this could lead UBS to report a loss for the third quarter of 2011," according to a statement released by the bank. It added that "no client positions were affected."

UBS discovered the unauthorized trades on Wednesday, and contacted police, who arrested a 31-year-old man in London at 3:30 a.m. Thursday, "on suspicion of fraud by abuse of position," said commander Ian Dyson of the City of London Police, in a statement.

The man, who remains in custody, has been named in news reports as Kweku Adoboli. According to his LinkedIn profile, he's the director of exchange-traded funds and Delta One--a complex form of derivative trading--at UBS Investment Bank in London. Adoboli's boss, John Hughes, resigned on Wednesday, according to news reports.

The timing of the unauthorized trades is potentially awkward for the bank, since on Thursday, the Swiss parliament was due to debate tighter regulations for UBS and Credit Suisse Group, over concerns that the banks have become "too big to fail."

The failure of UBS to catch the unauthorized trading is surprising since in 2008, rogue trader Jerome Kerviel at Societe General had used stolen passwords to hide Delta One trades that ultimately resulted in $7 billion in losses for the French bank. Ultimately, in October 2010, Kerviel was fined and jailed for three years. Furthermore, Kerviel is far from the only rogue trader to have bedeviled a financial institution in recent years.

While it's not clear how the UBS trades took place, "the risk management of UBS obviously failed," said Martin Kuppinger, principal analyst at market researcher KuppingerCole, which focuses on identity management and information security, in a blog post.

"Did some people cooperate? Did the risk management system specifically for that type of transactions fail? Or has it been an access management problem like at SocGen some time ago, where the trader was able to control [it] himself?" he said. "Whatever the reason is, the incident proves that there is still a long way to go in risk management and overall GRC--not only in the finance industry."

Shorthand for governance, risk, and compliance, GRC refers to a set of business practices designed to measure and report on various risks facing a business. Specifically, GRC focuses on governing an organization's management, business, and IT decisions. It's also meant to manage risks to the business, be they business-related, involving finances, or technology. Finally, GRC is meant to demonstrate compliance with whatever regulations the business must comply.

But too many businesses may not be taking a crucial next step, from not just having policies, but also the correct tools in place to automate and enforce them. "Most large enterprises today have risk, compliance, and privacy policies in place to govern processes for access, sharing, and storage of sensitive corporate information, yet as the growing number of public breaches can attest, policies alone are not the answer," according to business ethics and compliance advisor Michael Rasmussen of Corporate Integrity.

Security professionals often view compliance as a burden, but it doesn't have to be that way. In this report, we show the security team how to partner with the compliance pros. Download the report here. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.