What happened? As far as we can gather (the story is in The Telegraph here) the chap pressed the send button about a sensitive client matter to, er, 100 people.
You gotta hate it when that happens! In the email, details of the upcoming flotation proposed listing price of the former client – former automotive giant and, well, sort of bank, now? – General Motors were leaked by accident. GM promptly closed its account with UBS and removed it as an underwriter from the float – hence the six million bucks loss, from fees it would have pipelined to collect. (The information is valuable to anyone looking to short-sell trades on the opening day, among other ways to make money at GM’s expense, basically.)
How do we know about this? GM had to detail it in SEC filings, as it had to protect itself against any refunds or damages from aggrieved investors because of the leak if UBS remained an underwriter on the deal.
Now, this isn’t a case of hacking – the employee made an error, no deliberate fraud was committed, at least as far as we know. But it is a clear case of information security weakness. Insufficient safeguards were in place – or rather, had not been put in place by the IT and/or risk management team at the Swiss bank – to limit exposure.
The story is a reminder that porous corporate walls are great on some days, when we want to be all social media-ed up and interconnected, and very, very worrying on other days, when we see data walking out the door and potentially harming us.
This could have happened just as easily with a carbon copy of a memo. But it didn’t, it happened because no one had set the right rules up on the dude’s Outlook. According to Philip Lieberman, president of identity management specialists Lieberman Software, anecdotal evidence in the IT security industry suggests that between 50 and 60% of accidental data leaks originate from incorrectly addressed emails and their attachments.
"A good security policy enforcement system should be capable of intercepting any unusual or non-standard messages, and temporarily quarantining the message until a IT security official can review the data," he believes. And who’s to say he’s wrong?
$6.2m of lost revenue opportunity is one thing; the fact that the rest of the world gets to comment on UBS’ shortcomings here is a far bigger issue.
Don’t let this happen to you. The CIO or CISO or Risk Manager must continually strike a balance, and it may be a daily act, between openness and security. If you don’t… will we be writing about you next week?