Attacks/Breaches
5/11/2010
04:58 PM
50%
50%

Goldman Sachs Sued For Illegal Database Access

Employees at Goldman allegedly used misappropriated credentials to grab intellectual property from market intelligence service's database

Goldman Sachs has been slapped with a $3 million lawsuit by a company that alleges the brokerage firm stole intellectual property from its database of market intelligence facts.

Filed last week in the U.S. District Court for the Southern District of New York, the lawsuit claims Goldman Sachs employees used other people's access credentials to log into Ipreo Networks's proprietary database, dubbed Bigdough. Offered on a subscription basis, the information contained within Bigdough offers detailed information on more than 80,000 contacts within the financial industry. Ipreo complained to the court that Goldman Sachs employees illegally accessed Bigdough at least 264 times in 2008 and 2009.

Adrian Lane, an analyst with Securosis, says this is a textbook case for why companies with important intellectual property held in databases need to implement robust monitoring tools to supplement sound access control policies and procedures.

"Insider threats of CRM systems is literally the genesis of [the database activity monitoring] industry," Lane says. "This is a prototypical example of why you want to have monitoring over and above access controls to verify usage. You want to check to make sure that the individual is looking at the records that are appropriate to that account."

According to the suit, Goldman Sachs did acknowledge that the IP address used to make the unauthorized access belonged to the brokerage firm, but that it was just the act of a lone employee.

Phil Lieberman, president of Lieberman Software, believes that defense won't wash well in court. "The only place this rogue-employee defense works is if the employee goes nuts off-site of the company with no company direction and hurts someone while not conducting company business," he explains. "Sharing a bucket of KFC chicken with a friend is OK. Sharing the secret formula for KFC chicken with a friend who then goes out and makes money from the information is not OK. In this last case, if the cook gets the formula for the chicken and makes more money for the restaurant as a result of the secret information, the owner will be liable for the stolen information."

As Lieberman puts it, shared accounts are a sad fact of life when IT manages its own systems. Things become a lot trickier, though, when that account-sharing involves third-party services. "Many online companies provide a per-seat licensing model that does not enforce restrictions or stop sharing. In many cases, these per-seat costs are very high and it is deemed to be too troublesome for low-level employees without executive titles to purchase additional seats, so theft is the usual outcome," Lieberman says. "In this case, it appears that friends probably shared these licenses outside of their company as a 'favor.'"

In most cases, when the service provider informs the infringing party that they need to pay for what they stole, the offending party basically pays for the stolen property and that's it, he says. "[But] it appears that Goldman decided to take the road less traveled and enter into a less-than-savory legal and business position that has now landed them in court," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

CVE-2014-2716
Published: 2014-12-19
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 reuses the RC4 cipher stream, which makes it easier for remote attackers to obtain plaintext messages via an XOR operation on two ciphertexts.

CVE-2014-5212
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in nds/search/data in iMonitor in Novell eDirectory before 8.8 SP8 Patch 4 allows remote attackers to inject arbitrary web script or HTML via the rdn parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.