Societe Generale Confirms Insider Threat

By Lawrence Walsh  |  Posted 2008-01-28

Get out your pencils, because the hacking world may have a new king: Jerome Kerviel.

French authorities continue to unravel this intricate web of deceit, but they already know this much: Kerviel, a mid-level trader at Societe Generale, used pilfered passwords and route paperwork to conceal fraudulent trades that cost the bank more than $73.5 billion.

Since investigators and bank officials have tagged the incident “hacking,” the financial services and other financially exposed industries are going to hear an increasing din of the threat of hackers and the need to shore up their computer systems and software to guard against such monumental attacks. In other words, the security market’s FUD machine is going to fire up and use this incident to sell more products.

While Kerviel’s scheme makes for good headlines, it’s hardly anything we should be surprised about. In fact, it’s an enterprise’s worst nightmare: the compromise of sensitive data by a trusted insider. Worse, enterprises are typically powerless against employees who abuse their access since business operations require extending a certain degree of trust (conversely, accepting a certain level of risk).

Prudence and best practices say banks should monitor for fraudulent activity, even by trusted users. And guess what? Societe Generale did, and Kerviel did trip some alarms. The only problem was he knew what he was doing and the alarms weren’t significant enough to warrant action.

“In order to ensure that these fictitious operations were not immediately identified, the trader used his years of experience in processing and controlling market operations to successively circumvent all the controls which allow the bank to check the characteristics of the operations carried out by its traders, and consequently their real existence,” the bank said in a statement.


Sadly, this isn’t an isolated incident. According to the 2007 Computer Security Institute survey, roughly six in 10 enterprises reported a security breach by inside users. Enterprises stood a better chance of suffering an insider attack than having computers and networks compromised by viruses and worms, according to the survey.

Insider attacks long have been the more dangerous and destructive attacks, since they’re difficult to detect and prevent because of the users trusted access. Prior to regulations such as Sarbanes-Oxley and California’s SB 1386, few insider breaches were reported since they were just as easily covered up. Kerviel may go down as the most financially devastating to date, since the discovery of his fraud has put Societe Generale on the verge of ruin and sparked market sell offs around the world, but consider some other trusted insider and the damage they caused.  

  • Timothy Lloyd (1996):  Knowing that he was on the verge of being fired from his job at Omega Engineering in New Jersey, Lloyd used his programming skills and access as one of the company’s network administrators to plant a logic bomb. Three weeks after he was terminated, the bomb wiped the databases clean and cost the company $10 million in lost revenue. Omega Engineering eventually went out of business because it couldn’t recover from the loss.
  • Robert Hanssen (2001): the disgraced FBI agent—passed over several times for promotion—used his expert knowledge and access to steal counter-espionage and foreign intelligence data to sell to the Russians. The full extend of the damage he caused to national security over two decades may never be known, but the information he leaked did cost the lives of foreign operatives who’s identities were compromised.
  • Certegy “anonymous” database admin (2007): Details of this case are still sketchy more than six months after coming to light, but a database administrator charged with controlling access to check-cashing transaction data used his inside knowledge to steal bank account numbers and submit his own transactions. More than 8.5 million bank and credit card accounts were compromised.

Yes, enterprises should implement security controls and monitor user activity for inappropriate and prohibited behavior. Yes, enterprises should have defined segmentation and separation of duties for their employees to ensure no one user can gain access to all digital jewels. And yes, enterprises should routinely audit user accounts to ensure policy compliance.

And despite these precautions, the trusted insider will remain the most dangerous threat to enterprise security. No matter the security precautions taken, the Societe Generale/Kerviel case proves once again that no amount of technology will stop a person who you trust with your company’s digital and financial assets.

Lawrence M. Walsh is editor of Baseline Magazine and a noted security journalist. Share your thoughts on insider threats and trusted users turned hackers at