[SecurityRatty] tag: taxes

Is That a Coffee Table or a Munition?

Tue, 25 Nov 2008 09:40:20 +0000

One of the standard software security prescriptions for the SDLC is to data classification and enforce least privilege. From a security perspective this sounds fantastic, especially on a whiteboard. When the rubber meets the real world road, things often turn out slightly different.

It turns out that it is hard to conduct business with excessive granularity.

Here is an article from The Economist on the challenges of space technology, commercialization and information sharing. This is widely applicable to corporate information security policies:

Gravity is not the main obstacle for America’s space business. Government is
IN THE spring of 2006 Robert Bigelow needed to take a stand on a trip to Russia to keep a satellite off the floor. The stand was made of aluminium. It had a circular base and legs. It was, says the entrepreneur and head of Bigelow Aerospace in Nevada, “indistinguishable from a common coffee table”. Nonetheless, the American authorities told Mr Bigelow that this coffee table was part of a satellite assembly and so counted as a munition. During the trip it would have to be guarded by two security officers at all times.

Exporting technology has always presented a dilemma for America. The country leads the world in most technologies and some of these give it a military advantage. If export rules are too lax, foreign powers will be able to put American technology in their systems, or copy it. But if the rules are too tight, then it will stifle the industries that depend upon sales to create the next generation of technology.

It is a difficult balance to strike and critics charge that America has erred on the side of stifling. They claim that overly strict export controls have so damaged the space industry that America’s national security is now threatened by its dwindling leadership in space technology. The system, they complain, fails to distinguish between militarily sensitive hardware that should be controlled and widely available commercial technologies, such as lithium-ion batteries and solar cells. The zealous application of the export rules is the American space industry’s biggest handicap.

Read the whole thing its fascinating. So what started off as well intentioned asset protection eventually compromised the most important asset of all - strategic advantage.

So what's a better model? I am partial to think about these sorts of problems as free trade agreements. Each integration point should have a set of policies, and enforcement mechanisms that also include compensating transactions.

For example, did you know that in the US you can buy companies that trade on other exchanges through ADRs? You buy the ADR of say a French Telco which trades on a European exchange only you buy the ADR on the NYSE or Nasdaq. Then the French Telco issues you a dividend because you are a shareholder, but the French government withholds the dividend for foreign owners. Yet because there is a free trade agreement between the two countries, the US lets you write off the unreceived portion of the dividend on your taxes. (this may or may not be the case in US-France just an example). Anyway, its not a silver bullet but its an interesting strategy.

XSS Comedy III: Tax Cheats with Small Equipment

Wed, 12 Nov 2008 13:52:00 +0000

As part of an ongoing series, if I may I, the third in a series on the absurd, inane, and perhaps even funny. Lest you forget: the first and second in the series.
I don't know about you, but I enjoy occasionally watching offerings like the History Channel, AMC, or the Military Channel. I'm a 40ish, white male and as such I likely fit the general demographic as perceived by the marketing geniuses who buy the late evening advertising blocks on these channels.
That does NOT mean that I cheat of my taxes and thus need the services of a plethora of scam artists selling tax relief. Nor does it mean that I have any interest in "enhancement" opportunities like Enzyte or ExtenZe.
I just love people who choose to skip out on a primary obligation of citizenship that most of us choose to meet, and expect to magically turn $100,000 in tax debt into $999. Then there are the "businesses" who exploit these folks and willingly convince them of their "success" via the power of advertising, at which point my patience just snaps, as it did last night.
Thus, part one of this rant is a mighty bugger off to all the "tax relief" companies. To their patrons, may I suggest simply paying taxes like the rest of us?
Here's an XSS vulnerability in the Freedom Financial Network, "as seen on TV", designed to express precisely how I feel:

http://www.freedomfinancialnetwork.com/tax_debt.php?pid=ffn+go&key=%22%3E%3Cmarquee%3E%3Ch1%3ENOTHING_IS_FREE!%3C%2Fh1%3E%3C%2Fmarquee%3E

If and when they fix this issue, here's the video for posterity.

Part two of this rant will get you more bang for your buck, and I'm not talking enhancement.
Thanks to my utter disdain for the endlessly annoying advertising I went to the ExtenZe site to see what might be broken which immediately led me to discover an entire platform vulnerability in the ColdFusion application built by Internet Direct Response (IDR), the wankers who proudly bring you Maxoderm, Vivaxa, Vazomyne, Smoke Away, and Hydroxydrene; all such reputable products, and all repetitively wearing me out via DirectTV. At the ExtenZe site I spotted a variable that seemed worthy of building a Googledork from, and I soon discovered that it was a consistent variable in most of the sites pimping this crap; specifically, microppcsite. You can follow all the search results back to our friends at IDR.
A little experimentation and I quickly discovered that the similar microppcterm variable was vulnerable to entertaining XSS exploitation so I started with:

http://www.extenzeforlife.com/?microppcsite=googleµppcterm=%22%3E%3Cmarquee%3E%3Ch1%3EToo_short,_Morningwood?%3C%2Fh1%3E%3C%2Fmarquee%3E&gclid=CJ3T2NXH8JYCFQQCagod7xyBrA

Pick your poison, it works on most IDR gems.

http://www.enzyte-male-enhancement.com/google/?microppcsite=googleµppcterm=%22%3E%3Cmarquee%3E%3Ch1%3EBob_just_wants_your_money.%3C%2Fh1%3E%3C%2Fmarquee%3E

Again, a video, should IDR choose to fix their app.

And now, the grand prize for pathetic: The ExtenZe site is McAfee Secure.

I couldn't make this stuff up if I tried.
You thought www stood for world wide web. Try wee willy wankers. *sigh*

del.icio.us | digg | Submit to Slashdot

Feds tighten security on .gov

Sun, 21 Sep 2008 20:00:00 +0000

When you file your taxes online, you want to be sure that the Web site you visit -- www.irs.gov -- is operated by the Internal Revenue Service and not a scam artist. By the end of next year, you can be confident that every U.S. government Web page is being served up by the appropriate agency.

Comments made in 1955

Wed, 09 Jul 2008 17:42:42 +0000

Great Site I found today,
Who would have thought they would say these things the year I was born!

clipped from www.thecoolnews.org

Comments made in 1955 (53 Years Ago)

Author: Metalwarrior

16
Apr

“Thank goodness I won’t live to see the day when the Government takes half our income in taxes. I sometimes wonder if we are electing the best people to congress.”

“I’m afraid the Volkswagen car is going to open the door to a whole lot of foreign business.”

“It won’t be long before young couples are going to have to hire someone to watch their kids so they can both work.”

“I read the other day where some scientist thinks it’s possible to put a man on the moon by the end of the century. They even have some fellows they call astronauts preparing for it down in Texas ..”

“When I first started driving, who would have thought gas would someday cost 29 cents a gallon. Guess we’d be better off leaving the car in the garage.”

“Did you see where some baseball player just signed a contract for $75,000 a year just to play ball? It wouldn’t surprise me if someday they’ll be making more than the President.”

SCSU web server becomes spam server and exposes personal information

Fri, 02 May 2008 07:12:47 +0000

Technorati Tag: Security Breach

Date Reported:
4/24/08

Organization:
Southern Connecticut State University

Contractor/Consultant/Branch:
None

Victims:
Current and former students

Number Affected:
11,000

Types of Data:
Names, addresses and Social Security numbers

Breach Description:
"Two weeks after discovering that its Web site had been used by hackers to flog fancy wedding rings, Southern Connecticut State University is notifying 11,000 current and former students that their Social Security numbers may have been compromised."

Reference URL:
SCSU Alert
PCWorld
NBC Channel 30 News
Chronicle of Higher Education

Report Credit:
Southern Connecticut State University

Response:
From the online sources cited above:

From the University's Alert Page:
During a recent security review of the Southern Connecticut State University Web server, it was discovered that certain identifying information pertaining to current students and alumni could have been vulnerable to access by unauthorized individuals.
[Evan] As you will read further in this posting, the web server appears to have been compromised. I don't think "could have been vulnerable" is an accurate assessment. The information WAS vulnerable.

The information, including names, addresses, and Social Security numbers, was contained in a protected records office file in which students would register for graduation.

Records of about 11,000 students had been stored in the file dating back to 2002.
[Evan] Personal information belonging to thousands of people on a public web server. UGH.

Upon discovering this potential vulnerability, the university immediately disabled the application and secured the file.

There has been no determination that the personal information contained in the file was accessed, nor is there any indication that this data has been or will be used for purposes of identity theft.
[Evan] Even novice web site administrators log access to web pages and files. If the attacker accessed the file through the web service/daemon, then access was probably logged. If the attacker had completely compromised the web server or taken a different avenue of attack, then there might not be easily obtained evidence of access. Either way, I assume that the file could have been accessed easily.

The university has notified all the affected individuals by letter and taken a number of proactive steps, along with a full security review of the university's Web server.
[Evan] What is proactive in a response?

The University has undertaken a review of all files containing personal information on its Web server and there is no evidence to date that any of them have been compromised.
[Evan] The University should undertake a review of all files containing personal (and other confidential) information everywhere, not just its Web server. Why would personal information storage be permitted at all on a web server?

Identity protection services will be provided at the university's expense to the affected individuals, for a period of up to two years. To obtain this optional coverage, registration for this service is necessary.
[Evan] At the "university's expense" means at the current and future student's expense. As the cost of business goes up, so does the cost of service (at some point) which means an increase in the price of tuition or increase in taxes (SCSU is a member of the Connecticut State University System). Does this sound like good management?

A help desk has been established to respond to questions. The help desk number is: (203) 392-7216 and will be staffed between the hours of 8:30 a.m. to 4:30 p.m.

A dedicated Web page, containing updated information, has been created and may be accessed at www.southernct.edu/creditmonitoring/

Now From Outside Sources:
Two weeks after discovering that its Web site had been used by hackers to flog fancy wedding rings, Southern Connecticut State University is notifying 11,000 current and former students that their Social Security numbers may have been compromised.
[Evan] Do you see how the school's alert web site differs from outside sources? See a spin (one way or the other)? Do you think that the outside sources try to sensationalize the story, or do you think that the school doesn't want the embarrassment that their web server was a spam-related site for some time? Maybe a combination of the two.

The personal data was in a file on the university's Web server, which was accessed by criminals who were using the university's site as part of a spam operation, said Patrick Dilger, the university's director of public affairs.
[Evan] Not only was personal information stored on a public web server, but it was stored on a poorly secured (and probably poorly monitored) public web server.

"The hackers were using our Web server as a host for their own Web site," he said.

Pages on the university's site contained ads for diamond rings, Viagra and Cialis.

After noticing the ads on April 9th, IT staff discovered the file containing the sensitive information. "When we were doing the security review after the hacker incident, we saw this file there and it wasn't properly secured, so it could have been targeted by someone," Dilger said.

The university believes that the hackers came from outside the U.S., and it is working with Connecticut's attorney general's office to investigate

Richard Blumenthal, Connecticut’s attorney general, sent a letter last week to Michael J. Hogan, president of the University of Connecticut, describing the breach and advising him that the many campuses he oversees should be vigilant about their storage, use, and disposal of confidential data.

Commentary:
There are so many things wrong with this, it is hard to know where to start. Will anyone be held accountable.

Past Breaches:
April, 2008 - Stolen SunGard laptop affects at least 10 post-secondary schools (PogoWasRight has been keeping a running update of the Sungard breach, check out their search.)

Tax information exposed in trash

Mon, 07 Apr 2008 09:20:28 +0000

Technorati Tag: Security Breach

Date Reported:
4/6/08

Organization:
Peter Roberts, FCA

Contractor/Consultant/Branch:
None

Victims:
Clients

Number Affected:
"dozens"

Types of Data:
"names, addresses, tax information, business transactions, and social insurance numbers"

Breach Description:
"The private information of dozens of British Columbians was unearthed from a dumpster in downtown Vancouver and turned over to CTV News over the weekend."

Reference URL:
CTV News

Report Credit:
David Kincaid and Jina You, CTV British Columbia

Response:
From the online source cited above:

The private information of dozens of British Columbians was unearthed from a dumpster in downtown Vancouver and turned over to CTV News over the weekend.

Documents containing names, addresses, tax information, business transactions, and social insurance numbers from several firms in a Howe Street office building were visible by someone having a cigarette in the alley.
[Evan] Not just one firm, but "several firms"!

Many of the documents -- marked with phrases such as "personal and confidential" -- come from the office of Peter Roberts, a well-known accountant.
[Evan] Mr. Roberts is a director of the Canadian Institute of Chartered Accountant's (CICA) Risk Management and Governance Board. He has set a very poor example in risk management and governance.

When reached by phone, Roberts said that he put a bag full of the documents in the dumpster on Saturday.

He said he doesn't own a shredder and believed the documents would be safe because the dumpster is secured by a padlock.
[Evan] Not owning a shredder is an absurd excuse. Heck, you can buy a aper%20Shredders">paper shredder for less than a hundred bucks!

But to Vancouver's large and innovative homeless population, a lock isn't much of a safeguard.

"Guys will bend ... the lids or use rocks to pry them open," said one binner to CTV News.

"I watched a guy cut a lock off a bin with bolt cutters and he took 35 cents out of the bin, but the lock cost $19.95," he said.

"Businesses need to know it's not something they should know, it's a legislated requirement that they know," said Valerie MacLean the executive director of the BCCPA. "They have to protect their clients and employees information."

The penalties for breaking the law on protecting privacy can be stiff: individuals face a maximum $10,000 fine, and companies can be fined as much as $100,000.
[Evan] A fine of up to $10,000, loss of customer confidence, bad press, etc., or invest in a $100 paper shredder. Risk management?

Among the documents found this weekend are:

Federal T1 tax return forms from 2003 to 2008, including names, financial details, addresses, and social insurance numbers
Federal T1013E forms, which contain names, addresses, social insurance numbers, and telephone numbers
Property sales, which include names, addresses, prices paid for the property, and balance owing to solicitors in the deal
Consent forms, which include names, addresses and phone numbers
Statements of investment income, which include financial details.
Draft statement of account, including names, addresses, and a detailed breakdown of expenses

Many of the documents appeared to be drafts or copies for records, and as such did not contain signatures. A few of the pages were hand-shredded, but for the most part the documents were intact.

One of the pages was a letter from Roberts addressed to the Institute of Chartered Accountants of B.C., which describes itself on its website as a group that fosters public confidence in the profession of chartered accountants.

Victim Reaction:
"Oh my gosh," said one of Roberts' clients, David Weinberg, whose name was on several files
[Evan] I wonder if this quote may have been edited for public consumption. I wonder if my reaction would be as politically correct.

"I'll have him either return this to me or assure me that he will be changing his privacy practices going forward to assure that not just this but all of his clients' documents are properly shredded."

Commentary:
Many companies turn to accountants (and accounting firms) for guidance on "IT Audit, Governance & Security", and I question how valuable this guidance is sometimes. I don't want to discount the information security guidance given by all accountants because to do so would be unfair. I have seen many cases where an organization has put too much credence in the guidance of unqualified accounting firms. On the other hand, I have seen some impressive guidance too. I guess I wouldn't call an information security professional to audit my books or do my taxes, so I don't think I would call an accountant to audit my information security.

Past Breaches:
Unknown

Toronto Columnists: City Owned Exclusive Broadband a Good Deal

Mon, 31 Mar 2008 09:50:27 +0000

Scary idea to force Torontonians to implement universal broadband, even to those with broadband: I'll admit I don't understand Canada as well as I should, but this column in the Toronto Star advocates public ownership of broadband in the city that would supplant all privately supplied broadband to homes. I'm not kidding. Toronto Hydro is considering selling its telecom division, which includes its well-engineered but limited One Zone service (6 sq km of downtown).

This op-ed recommends that the city buy the division, and have it build service, which they estimate at about $100 per household, which could save $300 to $400 per household per year for those with broadband. But that means that they prefer any market for broadband to be destroyed in favor of a publicly owned and operated network. Which, frankly, would scare me if such a thing were proposed in my city.

It's not so much that any given broadband firm is so marvelous that I wouldn't prefer another. (I am surprisingly happy with my DSL from incumbent Qwest, including their fantastically improved technical support.) But, rather, that cities seem to do best in ensuring that missing pieces of all kinds are provided to those least able to advocate for themselves. This, in my mind, extends to cities providing incentives for supermarkets to be built in disadvantaged areas. (There's always an irony that people least able to afford food must travel the furthest to obtain food at prices below that offered in their neighborhood, typically through convenience stores. That's changing.)

One prominent argument that I found myself agreeing with when the discussion of municipal Wi-Fi was in its infancy was the problem of building a broadband network that used taxpayer dollars to improve the lot of some citizens, often those who could afford a variety of broadband options. Plans that used city budgets to reduce costs for telecom or provide municipal services are more egalitarian, and seem to have won the day.

In this case, the op-ed writers are suggesting a course that would eliminate all competition. Can anyone trust their city well enough that they support starting a bureaucracy that would completely de facto (not de jure) prevent any better service from being installed? Or that would require you to pay as part of your taxes for service that you wouldn't use?

The columnists do more sagely suggest that a "city-wide fibre/wireless network could be an important boost to city departments and other civic services that have growing needs for networking, such as education, libraries, police and emergency health services."

To be liberated, you need to be educated in the facts

Fri, 28 Mar 2008 11:28:30 +0000

Online safety 101. When will it happen? Sadly, never.
Uninformed users will continue to fall for scams and allow their computer and others to be infected and give the malware marketeers lots of profit.
Ok, Im done ranting, Im fine now, really.

clipped from www.download.com

Spyware Horror Story: Debugging for newbies

As liberating as computers are, it’s terrifying when things go wrong. You’re left abandoned, even mocked!, by the tools on which you’ve come so heavily to rely. It’s like having your trusty accountant wipe a stack of forms to the floor, storm out of the office, and leave you to sort out your own taxes.

Union Mortgage loan applicant information found in dumpster

Fri, 29 Feb 2008 11:14:23 +0000

Technorati Tag: Security Breach

Date Reported:
2/22/08, updated on 2/28/08

Organization:
Union Mortgage Services of Cleveland, Inc.

Contractor/Consultant/Branch:
None

Victims:
Loan applicants

Number Affected:
Unknown*

*"hundreds of people" including "Thousands of pages of sensitive documents"

Types of Data:
Information that is typically found in loan applications, including bank statements, credit reports, and tax returns.

Breach Description:
Thousands of pages of sensitive loan application information were discovered in a dumpster behind a pizza shop in Cleveland, Ohio. The documents were allegedly discarded by employees of Union Mortgage Services of Cleveland, Inc., which has closed down after failing to pay taxes or failure to file tax returns.

Reference URL:
WKYC-TV News

Report Credit:
WKYC-TV News, by way of Attrition.org

Response:
From the online source cited above:

Thousands of pages of sensitive documents were thrown out in a dumpster located behind a pizza shop at East 105th and Superior in Cleveland.

Confidential files were found on hundreds of people who applied for loans with a company called Union Mortgage, whose last known addresses were in Beachwood and Parma.
[Evan] Union Mortgage Services addresses are/were; 23611 Chagrin Blvd Suite 275 Beachwood, OH 44122 and 1440 Snow Road Suite 118 Parma, OH 44134

Investigator Tom Meyer learned the company closed its doors recently after either failing to pay taxes or file its tax returns
[Evan] Sounds shady for a mortgage company that people trust much of their financial lives with.

Channel 3 News retrieved as many documents as possible and returned them to their rightful owners.

Ken Knabe, a lawyer from Lakewood, was shocked that we had his bank accounts, credit reports, tax returns and other personal information including his social security number. "That's appalling. This is private information in a dumpster,"

Channel 3 News returned files of information on Kim and Edwin Soeder of Mentor, including their retirement accounts. "It makes you wonder how bad your credit rating becomes if people get this in their hands," said Mrs. Soeder.

Ohio Attorney General, Marc Dann, has sued another mortgage company, Randall Mortgage Services, Inc., for allegedly abandoning customers' loan and financial information. Dann says he would take action against Union Mortgage if customers came forward and filed complaints with his office.

[Evan] Attorney General Marc Dann's site has some good information for consumers. To file a complaint, visit http://www.ag.state.oh.us/citizen/consumer/complaints.asp

Dann said businesses that collect personal information are responsible for protecting it just like they would protect their own information.

Commentary:
This is similar to the First Magnus breach reported earlier this month. Similarities include two financially troubled (or bankrupt) loan companies that figured their obligation to protect confidential personal information ceased when they closed the doors. The obligation to protect information entrusted to you only ceases when you transfer custodianship (i.e. return it to the owner, destruction, etc.)

I assume that we will only continue to see more of these types of breaches as more loan companies continue to suffer from today's credit crunch. When I researched Union Mortgage Services for this posting, I had a general sense of uneasiness. The lack of discovered background information and other legitimate references about the company might have made me question whether or not I would have done business with them in the first place. Hindsight is 20/20 they say.

Past Breaches:
Unknown

Cashing in on employee theft, or honest whistleblower?

Mon, 25 Feb 2008 11:03:19 +0000

Technorati Tag: Security Breach

Date Reported:
2/22/08

Organization:
LGT Group - The Wealth and Asset Management Group of the Princely House of Liechtenstein
English Version
German Version
French Version
Italian Version

Contractor/Consultant/Branch:
LGT Treuhand AG
(LGT Trust Ltd in English)

Victims:
Clients of LGT Trust (prior to 2002)

Number Affected:
~1,400*

*there may be an additional 4,527 beneficiaries affected.

Types of Data:
Confidential bank account information.

Breach Description:
Confidential customer information was stolen from LGT Trust in 2002 by a former employee of the company. As a result of this breach, Heinrich Kieber was convicted of "serious fraud, dangerous threats, unlawful compulsion, and suppression of documents." Now it appears that German authorities paid Mr. Kieber "as much as 5 million euros ($7.4 million)" for information about German account holders for the purpose of investigating tax evaders. Other countries that are interested in the information allegedly stolen by Mr. Kieber include the United Kingdom (U.K.), the United States (U.S.), Australia and others. Mr. Kieber now has a new identity (possibly as part of the arrangement with Germany) and his whereabouts are unknown.

Reference URL:
LGT Group Media Communique dated 2/24/08
[Evan] Highly recommended interesting read
The Australian online news story
Bloomberg.com online news story
MarketWatch online news story

Report Credit:
Chad Thomas, Bloomberg.com

Response:
From the online sources cited above:

For LGT Group, all the facts now point - despite contradictory statements form sources said to be close to the German intelligence service - to the fact that the data material illegally disclosed to the German authorities is limited, in as far as LGT is concerned, to the client data stolen from LGT Treuhand in 2002.

Even though other rumors have been circulated about the occurrences, LGT Group is assuming on the basis of numerous indications that the person, who illegally passed the data on to the German intelligence service, is the same former employee of LGT Treuhand who stole the data in 2002.

Apparently, the stolen data material has also been illegally disclosed, directly or indirectly, to other authorities. According to reports in the media, the previously convicted offender was paid a sum of several millions for the information and was provided with a new identity.

this is a possibility that law firms were interposed as intermediaries. LGT will now re-register its report of a criminal offence committed by a person unknown directly against the convicted data thief.

approximately 1,400 client relationships with LGT Treuhand, which were established before the end of 2002. The largest proportion, about 600 clients, are resident in Germany. The figure circulated in the media of 4,527 sets of data represents the number of beneficiaries of all the foundations

it has become increasingly clear that the so-called "informant" of the BND German intelligence service is indeed the same convicted data thief who illegally disclosed the client data in 2002

Acting on the information, German authorities raided the home of one of the country's most high-profile executives, the chief executive of Deutsche Post AG, alleging he evaded paying about E1 million in taxes.

The government, which paid as much as 5 million euros ($7.4 million) for information on German account holders in Liechtenstein on a disk provided by an informant to the Federal Intelligence Service, or BND, will share this information with other countries, the finance ministry said today.
[Evan] You mean to tell me that its possible (and acceptable) to steal confidential corporate information and sell it for big bucks? German authorities paid over $12,000 per record (7,400,000/600)! The question is, is this an informant or a data thief cashing in?

U.K. tax collectors, after initially turning up their nose at an informant's offer to sell them confidential data from a Liechtenstein bank, have now paid up and have information on about 100 wealthy British subjects

they were persuaded to pay the informant around 100,000 pounds only after Berlin tax officials launched in recent weeks a high-profile crackdown on Germans with money said to be stowed away in Liechtenstein
[Evan] The UK got a deal. They only paid ~$2,000 per record.

Australian authorities have been given details of Australian clients of Liechtensteinische Landesbank (LL, according to reports in the Wall Street Journal and Guardian newspapers.

"The Australian Tax Office does not pay for information about tax schemes," an ATO spokeswoman said. "Nonetheless, we have a good flow of information from people concerned about fairness and equity in the tax system."
[Evan] The best deal of all. Australia got the stolen information for free!

The former employee, who was convicted of the data theft, is a Liechtenstein citizen named Heinrich Kieber (HK).

He was active from October 1999 as an external employee of an IT-company, and from April 2001 to November 2002 as an employee of LGT Treuhand. At the time of his recruitment and during his employment with LGT Treuhand, he had not been previously convicted of a crime. However, as would become known later, an arrest warrant had been issued against HK, which was not accessible for examination during the standard checks carried out on new employees.

This arrest warrant was linked to a real estate deal in Spain in 1996, which HK had allegedly financed with uncovered checks, and was issued by the Spanish criminal prosecution authorities in 1997, firstly at national and subsequently at international level.

It has been reported that he (Heinrich Kieber) has been given a new identity and is living in Australia.

Commentary:
This is a very intriguing story and one that will take a while to shake out. I am a little torn by the series of events, and struggle with the ethics of it all. I don't think Heinrich Kieber is any kind of hero by any means. I think he is a common thief that just received a huge payday.

A couple of questions to think about:

Do you think Heinrich Kieber is lucky criminal, or do you think he is an honest "informant" and "whistleblower"?
If he were truly an honest guy, why would he shop the confidential information around like he did and not give it freely?
Do you think this story will encourage other insiders to follow suit?

On one hand authorities catch criminals, which is great! On the other hand, we just enabled (and in some circles encouraged) insider criminal activity and potentially employee fraud. Read the LGT Group Media Communique, it is very interesting stuff.

Past Breaches:
Unknown