Attacks/Breaches
5/11/2010
04:58 PM
50%
50%

Goldman Sachs Sued For Illegal Database Access

Employees at Goldman allegedly used misappropriated credentials to grab intellectual property from market intelligence service's database

Goldman Sachs has been slapped with a $3 million lawsuit by a company that alleges the brokerage firm stole intellectual property from its database of market intelligence facts.

Filed last week in the U.S. District Court for the Southern District of New York, the lawsuit claims Goldman Sachs employees used other people's access credentials to log into Ipreo Networks's proprietary database, dubbed Bigdough. Offered on a subscription basis, the information contained within Bigdough offers detailed information on more than 80,000 contacts within the financial industry. Ipreo complained to the court that Goldman Sachs employees illegally accessed Bigdough at least 264 times in 2008 and 2009.

Adrian Lane, an analyst with Securosis, says this is a textbook case for why companies with important intellectual property held in databases need to implement robust monitoring tools to supplement sound access control policies and procedures.

"Insider threats of CRM systems is literally the genesis of [the database activity monitoring] industry," Lane says. "This is a prototypical example of why you want to have monitoring over and above access controls to verify usage. You want to check to make sure that the individual is looking at the records that are appropriate to that account."

According to the suit, Goldman Sachs did acknowledge that the IP address used to make the unauthorized access belonged to the brokerage firm, but that it was just the act of a lone employee.

Phil Lieberman, president of Lieberman Software, believes that defense won't wash well in court. "The only place this rogue-employee defense works is if the employee goes nuts off-site of the company with no company direction and hurts someone while not conducting company business," he explains. "Sharing a bucket of KFC chicken with a friend is OK. Sharing the secret formula for KFC chicken with a friend who then goes out and makes money from the information is not OK. In this last case, if the cook gets the formula for the chicken and makes more money for the restaurant as a result of the secret information, the owner will be liable for the stolen information."

As Lieberman puts it, shared accounts are a sad fact of life when IT manages its own systems. Things become a lot trickier, though, when that account-sharing involves third-party services. "Many online companies provide a per-seat licensing model that does not enforce restrictions or stop sharing. In many cases, these per-seat costs are very high and it is deemed to be too troublesome for low-level employees without executive titles to purchase additional seats, so theft is the usual outcome," Lieberman says. "In this case, it appears that friends probably shared these licenses outside of their company as a 'favor.'"

In most cases, when the service provider informs the infringing party that they need to pay for what they stole, the offending party basically pays for the stolen property and that's it, he says. "[But] it appears that Goldman decided to take the road less traveled and enter into a less-than-savory legal and business position that has now landed them in court," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6090
Published: 2015-04-27
Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) DataMappingEditorCommands, (2) DatastoreEditorCommands, and (3) IEGEditorCommands servlets in IBM Curam Social Program Management (SPM) 5.2 SP6 before EP6, 6.0 SP2 before EP26, 6.0.3 before 6.0.3.0 iFix8, 6.0.4 before 6.0.4.5 iFix...

CVE-2014-6092
Published: 2015-04-27
IBM Curam Social Program Management (SPM) 5.2 before SP6 EP6, 6.0 SP2 before EP26, 6.0.4 before 6.0.4.6, and 6.0.5 before 6.0.5.6 requires failed-login handling for web-service accounts to have the same lockout policy as for standard user accounts, which makes it easier for remote attackers to cause...

CVE-2015-0113
Published: 2015-04-27
The Jazz help system in IBM Rational Collaborative Lifecycle Management 4.0 through 5.0.2, Rational Quality Manager 4.0 through 4.0.7 and 5.0 through 5.0.2, Rational Team Concert 4.0 through 4.0.7 and 5.0 through 5.0.2, Rational Requirements Composer 4.0 through 4.0.7, Rational DOORS Next Generation...

CVE-2015-0176
Published: 2015-04-27
Cross-site scripting (XSS) vulnerability in MQ XR WebSockets Listener in WMQ Telemetry in IBM WebSphere MQ 8.0 before 8.0.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted URI that is included in an error response.

CVE-2015-1886
Published: 2015-04-27
The Remote Document Conversion Service (DCS) in IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0.0 through 7.0.0.2 CF29, 8.0.0 before 8.0.0.1 CF16, and 8.5.0 through CF05 allows remote attackers to cause a denial of service (memory consumption) via crafted requests.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.