Attacks/Breaches
5/11/2010
04:58 PM
Connect Directly
RSS
E-Mail
50%
50%

Goldman Sachs Sued For Illegal Database Access

Employees at Goldman allegedly used misappropriated credentials to grab intellectual property from market intelligence service's database

Goldman Sachs has been slapped with a $3 million lawsuit by a company that alleges the brokerage firm stole intellectual property from its database of market intelligence facts.

Filed last week in the U.S. District Court for the Southern District of New York, the lawsuit claims Goldman Sachs employees used other people's access credentials to log into Ipreo Networks's proprietary database, dubbed Bigdough. Offered on a subscription basis, the information contained within Bigdough offers detailed information on more than 80,000 contacts within the financial industry. Ipreo complained to the court that Goldman Sachs employees illegally accessed Bigdough at least 264 times in 2008 and 2009.

Adrian Lane, an analyst with Securosis, says this is a textbook case for why companies with important intellectual property held in databases need to implement robust monitoring tools to supplement sound access control policies and procedures.

"Insider threats of CRM systems is literally the genesis of [the database activity monitoring] industry," Lane says. "This is a prototypical example of why you want to have monitoring over and above access controls to verify usage. You want to check to make sure that the individual is looking at the records that are appropriate to that account."

According to the suit, Goldman Sachs did acknowledge that the IP address used to make the unauthorized access belonged to the brokerage firm, but that it was just the act of a lone employee.

Phil Lieberman, president of Lieberman Software, believes that defense won't wash well in court. "The only place this rogue-employee defense works is if the employee goes nuts off-site of the company with no company direction and hurts someone while not conducting company business," he explains. "Sharing a bucket of KFC chicken with a friend is OK. Sharing the secret formula for KFC chicken with a friend who then goes out and makes money from the information is not OK. In this last case, if the cook gets the formula for the chicken and makes more money for the restaurant as a result of the secret information, the owner will be liable for the stolen information."

As Lieberman puts it, shared accounts are a sad fact of life when IT manages its own systems. Things become a lot trickier, though, when that account-sharing involves third-party services. "Many online companies provide a per-seat licensing model that does not enforce restrictions or stop sharing. In many cases, these per-seat costs are very high and it is deemed to be too troublesome for low-level employees without executive titles to purchase additional seats, so theft is the usual outcome," Lieberman says. "In this case, it appears that friends probably shared these licenses outside of their company as a 'favor.'"

In most cases, when the service provider informs the infringing party that they need to pay for what they stole, the offending party basically pays for the stolen property and that's it, he says. "[But] it appears that Goldman decided to take the road less traveled and enter into a less-than-savory legal and business position that has now landed them in court," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.