Wednesday 21 January 2015

Ex-Citadel Employee Gets Three Years for Data Theft

Andrew Harris, Bloomberg

USA - A former Citadel LLC employee who admitted stealing data from the Chicago-based investment firm as well as high-frequency trading computer code from a New Jersey company was sentenced to three years in prison.

Yihao “Ben” Pu, who was charged in 2011, pleaded guilty in August to stealing proprietary information from Citadel in 2011 and to an earlier theft of trade secrets from Red Bank, New Jersey-based Tradeworx Inc.

Pu, 27, apologized to both companies as U.S. District Judge Charles Norgle in Chicago handed down the punishment today. He told the judge the thefts were “the most regrettable actions” of his life.

“I’ve paid a price for this case, personally, professionally, financially,” Pu said.

Citadel, founded by billionaire Kenneth C. Griffin, manages more than $24 billion, according to its website. Pu worked for the firm as a quantitative financial engineer from May 2010 to August 2011.

Prosecutors sought a sentence from seven years and three months to nine years, citing the loss to the two firms. Citadel said in a letter to Norgle that the firm had spent more than $10 million on research and development of its stolen data.

Pu’s lawyers said the companies lost no more than $2,000. Norgle concluded that the loss was around $12 million total. Pu must surrender to prison by May 1.

Obstructed Probe
A co-defendant, Sahil Uppal, who in August pleaded guilty to obstructing a criminal investigation, was sentenced today to three month’s probation. Pu and Uppal worked together at Tradeworx before joining Citadel four months’ apart in 2010. By the time he’d arrived at the firm, Pu had taken code from Tradeworx, he told the court at his August plea. Uppal admitted he wrote code for Citadel, then secretly transfered it to a computer he and Pu used. In August 2011, Citadel officials confronted Pu with suspicions he’d stolen data and told him to return it. Uppal and a person who wasn’t identified later removed computer hardware from Pu’s apartment, including hard drives with the firm’s confidential information, Assistant U.S. Attorney Lindsay Jenkins told Norgle during Uppal’s August hearing.

The two must repay Citadel a total of almost $760,000 to cover the cost of its investigation, the judge said.

Katie Spring, a Citadel spokeswoman, declined to comment on the sentences. Tradeworx didn’t immediately respond to a voice-mail message.

The case is U.S. v. Pu, 11-cr-00699, U.S. District Court, Northern District of Illinois (Chicago).

Friday 9 January 2015

Morgan Stanley reveals theft of client data by insider

Morgan Stanley said that up to 10 per cent of its wealth management clients had their account information stolen by an employee who may have been looking to sell it.

The US bank’s wealth management arm has about 3.5m clients. An employee “briefly” published to the internet the account names and numbers of about 900 of those clients.

The employee was fired and the incident reported to law enforcement and regulators, Morgan Stanley said, adding that there was “no evidence of any economic loss to any client”. The Federal Bureau of Investigation has been notified.

A person familiar with the matter said the employee was a financial adviser named Galen Marsh, a 30-year-old based in New Jersey. The Wall Street Journal first reported his identity.

The person familiar with the matter said Morgan Stanley believed Mr Marsh was attempting to sell the data. However, Mr Marsh denies this.

Robert Gottlieb, a lawyer at Gottlieb & Gordon, who is representing Mr Marsh, said: “This is an employment matter between Mr Marsh and Morgan Stanley. He has acknowledged that he should not have obtained the account information and has been co-operating with Morgan Stanley to protect the firm and its customers. To be clear, Mr Marsh did not sell nor ever intended to sell any account information. He did not post account information online. Nor did he share any information with anyone. Nor use it for any financial gain. He is devastated by what has occurred and is extremely sorry for his conduct.”

The data breach is large: Morgan Stanley operates the second-biggest wealth management operations in the US, behind Merrill Lynch, and serves the equivalent of more than one in 100 Americans, who use brokerage accounts to trade stocks and bonds.

But it is dwarfed by several big data breaches in 2014, including the 76m households affected by a hacking incident at JPMorgan Chase, the nation’s largest bank by assets.

In that incident, which is believed to have been perpetrated by outside computer hackers, JPMorgan disclosed in October that contact details, but no account numbers or social security numbers, were compromised.

The Morgan Stanley theft shows the difficulties financial institutions have in securing their data against internal threats. 

Companies have made progress in securing the “perimeter” of their computer systems, according to security companies, but have struggled to reduce the opportunities for employees to steal potentially valuable data.

“The data stolen does not include account passwords or social security numbers,” Morgan Stanley said in a statement. “The firm is taking the precaution of notifying all potentially affected clients and instituting enhanced security procedures including fraud monitoring on these accounts.”

Shares in Morgan Stanley were down 3.1 per cent by the close in New York.

Morgan Stanley discovered the published account information on December 27 during routine scans of the internet, according to a person familiar with the matter, who said it had received “virtually no hits”.

“Morgan Stanley takes extremely seriously its responsibility to safeguard client data, and is working with the appropriate authorities to conduct and conclude a thorough investigation of this incident,” the bank said.

Getting larger in wealth management has been a big — and apparently — successful gamble by chief executive James Gorman in an attempt to move Morgan Stanley away from riskier fixed income trading and towards a more reliable source of revenues.

Last quarter Morgan Stanley’s wealth management arm made $3.8bn in revenues and pre-tax income of $836m. It employs more than 16,000 financial advisers.