Goldman data theft – Do you know where your code is?

By now, you have all heard about the ex-Goldman VP of Equity Strategy, Sergey Aleynikov, who was arrested over the weekend for allegedly stealing the code for one of their quant trading desks. If not, you can read a good summary here ( Bloomberg )

Since a number of people have covered the facts of the theft and have been posting more details as they’ve become available, I’m going to focus on the implications of the theft. First, there are already people saying that Goldman should have done a better job of protecting their code from theft. But the fact is that this guy was one of a select group of programmers responsible for maintaining the code, so he needed regular access to it or Goldman would have been wasting the $400,000 a year they were allegedly paying him.

So given that they had to give Sergey access to the code, Goldman should have been able to prevent him from encrypting the data and sending it out of the company, or failing that, of discovering the loss as soon as it happened instead of what looks like weeks later.

The ideal situation would have been if they had blocked Sergey from being able to send the data out of the company or flagged it for followup when it happened. According to the details so far, he downloaded the data from the Goldman servers, encrypted and compressed it on his desktop and then sent it to a server in Germany. If Goldman had proper monitoring in place, it might have picked up the attempt to send encrypted, compressed data out of the network and blocked it as it was happening. Just the fact that it was encrypted would have been a red flag to pay more attention to what was happening.

Early detection or prevention is important in this case, because Sergey sent the data to a server in Germany, which means that Goldman and the FBI have to go through an extra round of hoops to find out what happened to the code once it got to the destination server, and even to prevent it from being spread right now. The data has already been exposed for a month, and while that is probably too little time for it to have been actively used against Goldman, it is plenty of time for it to have been spread to competitor firms who will eventually be able to use Goldman’s algorithms that it spent millions developing to give it an edge in the marketplace.

At this very moment, Goldman is probably going through a security review with senior management asking IT what could have been done to reduce the odds of this theft.  Your company should be going through that same type of review, because every company has some sensitive data that would either level the competitive playing field if someone else got a hold of it, or would just cause embarassment if it was publicly lost.  If your senior management comes to you and asks that question, what are you going to tell them?