Bloomberg data breach, online 10,000 private messages

By Pierluigi Paganini, Editor-in-Chief, CDM

May 15, 2013, 11:30 am EST

Bloomberg was the victim of an accident data breach; shocking  news reported that financial data and news service posted online more than 10,000 private messages between traders and clients at some of the world’s largest banks.

Bloomberg supplies financial terminals to traders, regulators and central bankers worldwide,  more than 315,000 terminal subscribers, paying an annual fee of about $20,000 its clients have access to the service to gather real-time data on markets and instant message each other.

The debated possibility of Bloomberg reporters accessing private information on Wall Street through the company’s terminals puts the company in an uncomfortable position, some o

f Bloomberg LP’s biggest clients on Wall Street are re-evaluating their agreements with the company to discover how much information Bloomberg can access from desktop terminals. Goldman Sachs Group and JP Morgan Chase have complained about the practice of Bloomberg reporters being able to see when each of their employees is signed on and what kinds of functions employees use through keystrokes on the terminal.

“It’s pretty surprising that an organization this big has given that kind of open access to user information,”  “This is going to be a challenge for Bloomberg. This hole should have been locked down.” “This industry is all about confidentiality,” “When you give access to information about when a user is logged in and what they are doing with their terminal, that violates a confidence. That could be an issue.” 

said Larry Tabb, founder of Tabb Group, a financial markets research .

The repercussions are serious, a subscriber agreement would be reworked to ensure more guarantees against these type of incidents to a so confidential sector.

The data exposed seems to be part of a former employee’s data mining activity conducted from 2009 to 2010, the news was first published by The Financial Times after that Matthew Winkler, Bloomberg editor-in-chief, had admitted that the news agency had allowed its journalists’ access to confidential client data from the 1990s.

The situation is embarrassing as it is worrying, Matthew Winkler on Bloomberg article stated:

Our reporters should not have access to any data considered proprietary. I am sorry they did. The error is inexcusable,” “Last month, we immediately changed our policy so that reporters now have no greater access to information than our customers have. Removing this access will have no effect on Bloomberg news-gathering.”

Winkler has confirmed that reporters had limited access to data confirming that the journalists had no ability to look into the specific security information:

“Now let’s also be clear what our reporters had access to. First, they could see a user’s login history and when a login was created. Second, they could see high-level types of user functions on an aggregated basis, with no ability to look into specific security information. This is akin to being able to see how many times someone used Microsoft Word vs. Excel. And, finally, they could see information about help desk inquiries.”


The company is in full storm, it is being investigated by different agencies such as the U.S. Federal Reserve, the European Central Bank and U.S. Treasury, after senior executives at Goldman Sachs reported that a Hong Kong-based Bloomberg reporter had called to ask about a partner’s employment status after noticing the person hadn’t accessed to company service Bloomberg terminal for a period of time.

Last week, Daniel L. Doctoroff, CEO and President, Bloomberg L.P wrote on the Bloomberg Blog that a Bloomberg client recently raised a concern that Bloomberg News reporters had access to limited customer relationship management data through the service Bloomberg Terminal.

The CEO confirms that the corporation has long made limited customer relationship data available to its journalists admitted the mistake and operated to preserve customer relationship data changing corporate policy and adopt other mitigation measures.

 “Last month we changed our policy so that all reporters only have access to the same customer relationship data available to our clients,”  “Additionally, we decided to further centralize our data security efforts by appointing one of our most senior executives to the new position of Client Data Compliance Officer. This executive is responsible for reviewing and, if necessary, enhancing protocols which among other things will continue to ensure that our news operations never have access to confidential customer data.”

Just a few days ago I wrote an article on the declassified NSA doc: Untangling the Web, explaining the potentiality of publicity available search engines, well the data breach has been discovered simply with a Google search by a Financial Times reporter that noted the confidential lists. More than 10,000 messages were published, the data breach is a serious question, fortunately the confidential lists immediately were removed from the Internet.

Curious that New York City Mayor Michael Bloomberg, the principal owner of the financial information company, refused to comment on the privacy and security breaches due to an agreement with the city’s Conflicts of Interest Board.

“Our editorial and Reporting Standards Have Been among the most stringent in the business for more than 20 years. We apologize for our error as it does not reflect on our culture or our heritage. And we will strive to continue to uphold the highest standards while adhering to the best practices in the industry as long as we may be fortunate to serve our customers as they would have us serve them.”

The incident raises many questions about how the major world players take care of the privacy of their customers; anyway I appreciated the admission of liability by Bloomberg which I believe will have serious repercussions on the data breach.

(Source: CDM & Security Affairs – Data Breach)

May 15, 2013

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Top InfoSec Innovator & Black Unicorn Awards for 2024 are now Open! Finalists Notified Before BlackHat USA 2024...