Societe Generale Confirms Insider Threat

Get out your pencils, because the hacking world may have a new king: Jerome Kerviel.

French authorities continue to unravel this intricate web of deceit, but they already know this much: Kerviel, a mid-level trader at Societe Generale, used pilfered passwords and route paperwork to conceal fraudulent trades that cost the bank more than $73.5 billion.

Since investigators and bank officials have tagged the incident “hacking,” the financial services and other financially exposed industries are going to hear an increasing din of the threat of hackers and the need to shore up their computer systems and software to guard against such monumental attacks. In other words, the security market’s FUD machine is going to fire up and use this incident to sell more products.

While Kerviel’s scheme makes for good headlines, it’s hardly anything we should be surprised about. In fact, it’s an enterprise’s worst nightmare: the compromise of sensitive data by a trusted insider. Worse, enterprises are typically powerless against employees who abuse their access since business operations require extending a certain degree of trust (conversely, accepting a certain level of risk).

Prudence and best practices say banks should monitor for fraudulent activity, even by trusted users. And guess what? Societe Generale did, and Kerviel did trip some alarms. The only problem was he knew what he was doing and the alarms weren’t significant enough to warrant action.

“In order to ensure that these fictitious operations were not immediately identified, the trader used his years of experience in processing and controlling market operations to successively circumvent all the controls which allow the bank to check the characteristics of the operations carried out by its traders, and consequently their real existence,” the bank said in a statement.