Incidents

Inside Job: GE Money in Helsinki

by  •  • Comments Off

The 26-year-old head of data security at GE Money (I guess we would call him a CISO) in Helsinki, Finland was recently arrested for allegedly stealing EUR200,000 (note the linked story says EUR20,000 but other stories indicate 200,000 – also said this is about $245k):

Pekka Pattiniemi, general manager for GE Money in Finland, told reporters that the security officer was immediately dismissed.

Apparently, stealing is against GE Money’s Acceptable Use Policy ;-) Okay, I shouldn’t make light of the story, and actually this article lends more interesting information:

The data security chief said during interrogation that he had been forced into the crimes by one of the other suspects, a 43-year-old man with a criminal background…The data security chief claimed that unknown men had forced him to bring the company’s laptop to a certain video store in Helsinki a few days before the transaction. He said that pressure had also been put on his family.

Here are some details on what is alleged to have happened:

  • The CISO stole bank software and passwords from the bank and installed them on a bank-owned laptop. He brought it to a somebody at a video store (not pertinent – just a little flavor).
  • The laptop connected through a wireless LAN to access the bank and transfer EUR200,000.
  • Someone was caught trying to withdraw EUR5,000. (At least 4 people are suspected.)
  • Police initially suspected the owner of the WLAN but then found the laptop’s MAC address in the logs of the ADSL modem. (I think the security manager was a neighbor).
  • The MAC address was traced to GE Money and then the security manager.

The transaction must have been flagged as suspicious pretty early and the IP address traced to the WLAN in question so they could catch the guy during the withdrawal. I wonder why the CISO didn’t know about the controls in place? My guess is that transaction procedures must have provided the initial suspicion.