Goldman grabs hi-tech hacker
They seem, at first blush, the very model of a prosperous immigrant couple. A handsome pair, “Serge and Elina” from New Jersey sashayed across a stage in a YouTube clip of a ballroom dancing competition last year. A second online video tells the story of their romance, as Serge, a lonely workaholic, polishes a magic lamp to find a genie who conjures up the wife of his dreams.
But Sergey Aleynikov, a highly successful 39-year-old computer programmer with dual Russian and American citizenship, is not all he seems, according to US authorities.
The FBI has accused him of pulling off the hi-tech equivalent of an audacious, safe-cracking heist. He is charged with stealing software at the core of Goldman Sachs’s electronic trading platform—a secret formula that gives the bank its competitive edge.
Aleynikov, says his lawyer, is one of the top technology geeks on Wall Street. Employed for two years at Goldman, he was on a salary of $400 000 until a Chicago start-up, Teza Technologies, poached him in early June with an offer to triple his pay. Defence counsel Sabrina Shroff told the Observer: “Only about 100 people in the world can do what Mr Aleynikov can do. He’s a very marketable man.”
Aleynikov, who was arrested at Newark airport, New Jersey on July 3, is accused of squirrelling away highly sensitive software through his computers at Goldman, and of uploading confidential code to a file-sharing server based in Germany. At a hearing in which a judge granted Aleynikov bail on a $750 000 surety, prosecutor Joseph Facciponte described the information in question as Goldman’s “proprietary, high-quantity, high-volume trading platform with which they conduct all of their trades in all major markets within the United States and other places”.
Facciponte told the judge: “They guard the secrecy of this code very strictly,” explaining that it draws information from stockmarkets in “milliseconds” to power sophisticated, highly profitable, automatic dealing. “It is something which they had spent millions upon millions of dollars developing over the past number of years, and it’s something which provides them with many millions of dollars of revenue.”
According to the FBI’s complaint, Aleynikov logged on to Goldman’s systems on at least four occasions during his last few days before quitting the bank, to copy, compress, merge and encrypt parts of this core code. One of these sessions took place after 11pm. He uploaded 32MB of information to an external website, then allegedly attempted to cover his tracks by unsuccessfully trying to erase his “bash history”—a record of activity automatically stored by the bank. Goldman picked up irregularities through its sweeping systems, which routinely monitor employee email for unusual activity.
Experts say the case underlines the challenge facing the financial industry as it struggles to protect proprietary information in a world where data can be transferred at the touch of the button, even on handheld devices.
Contrary to popular perception, external hackers are not the primary security threat to banks. About 60% of data breaches are by disgruntled, or greedy, employees, according to a study by the consultancy firm Celent. In 132 reported intrusions in the two years to February 2008, banks lost an average of $250 000 each time. Jacob Jegher, an IT security specialist at Celent, points out: “From the outside, there are numerous knocks on the door but few successful entries. But for those who work inside a bank, the door is already open.”
Banks face a delicate task in monitoring employees’ activity without making staff feel distrusted by a “Big Brother” regime. Most workers on Wall Street or in London’s Square Mile are well aware that their phone calls can be recorded by their firms’ compliance departments and that their emails are subject to scrutiny. Any external transfers of large data files send red flags shooting skywards.
“There is no bank, or any other corporation that I can think of, that will tell you it’s acceptable to take a corporate asset and transfer it to a personal computer,” says Jegher. “Generally speaking, you can’t do that.”
He adds, though, that such breaches are increasingly hard to police. Cellphones are routinely banned on trading floors—for good reason: “You could use it to snatch a photo of a screen and send it to somebody via a picture message.”
Aleynikov, a father of three, lives in the New Jersey town of Little Falls and drives a 2006 Honda Odyssey minivan. He was a programmer with Russia’s ministry of transportation before emigrating to the US in 1991, where he initially worked as a teaching assistant in the biomedical engineering department of Rutgers University. A Rutgers professor, Evangelia Micheli-Tzanakou, described him to New Jersey’s Star-Ledger newspaper as “one of the brightest students I ever worked with ... He was also ambitious and driven and, by the way, an excellent competitive ballroom dancer.”
Aleynikov then joined a telecommunications company, IDT, before moving to Goldman. He is described by friends as having a quiet sense of humour.
His arrest is a huge embarrassment to Aleynikov’s new employer, Teza, a finance outfit founded by three alumni of Citadel Investment Group, a giant Chicago hedge fund. Teza suspended Aleynikov after just one day’s work last week and made it clear that it knew nothing of his “alleged misconduct”.
If Goldman’s code got into the hands of a competitor, experts say the bank could find its most valuable tricks out in the open. But Steve Katz, a former senior security executive who worked at Citigroup, JP Morgan and Merrill Lynch, says implementing a rival bank’s trading system is not easy: “Somebody’s going to have to go ahead and reverse-engineer it, figure out exactly what it is, and develop code to do something with it.”
While the collaborative culture of the world wide web sometimes encourages developers to throw their programming work open to all, Katz says straightforward theft for money would be unusual: “Investment banks are intensely competitive, but they’re not generally unethical enough to steal somebody else’s code.”
Goldman Sachs is saying little about the saga, but the bank’s decision to call in the FBI has enraged Shroff, Aleynikov’s lawyer. She says that although her client uploaded information, he was doing nothing illegal—none of the data was sensitive or shared with outsiders. Plus, she maintains, the code in question was 15 years old and its importance has been grossly overplayed by Goldman.
“If it’s that secret a code, if it’s that valuable, surely a man who downloaded it a month ago would have sold it, hawked it by now or shared it by now,” she says. “My client is one of the brightest people imaginable. I hardly think he needs to rely on some antiquated piece of code.” - guardian.co.uk