Privacy Breach on Bloomberg’s Data Terminals

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.nytimes.com/2013/05/11/business/media/privacy-breach-on-bloombergs-data-terminals.html?pagewanted=all&_r=2&;

A shudder went through Wall Street on Friday after the revelation that
Bloomberg News reporters had extracted subscribers’ private
information through the company’s ubiquitous data terminals to break
news.

The company confirmed that reporters at Bloomberg News, the journalism
arm of Bloomberg L.P., had for years used the company’s terminals to
monitor when subscribers had logged onto the service and to find out
what types of functions, like the news wire, corporate bond trades or
an equities index, they had looked at. Bloomberg terminals, which cost
an average of more than $20,000 a year, are found in nearly every
banking and trading company.

Bloomberg said the functions that allowed journalists to monitor
subscribers were a mistake and were promptly disabled after Goldman
Sachs complained that a Bloomberg reporter had, while inquiring about
a partner’s employment status, pointed out that the partner had not
logged onto his Bloomberg terminal lately.

The incident led to broader concerns about the line at Bloomberg
between its lucrative terminal business and the hypercompetitive
newsroom, threatening to undermine the credibility of both. In a
secretive world that thrives on opacity, traders and financial firms
jealously guard every speck of information about their activity to
avoid tipping their hand on their trades and investments.

“On Wall Street, anonymity is critically important. Secrecy and the
ability to cover one’s tracks is paramount,” said Michael J. Driscoll,
a former senior trader at Bear Stearns who now teaches at Adelphi
University. He added: “If Bloomberg reporters crossed that line,
that’s an issue.”

The news gathering technique appears more widespread than the Goldman
incident, which was first reported by The New York Post. A preliminary
analysis at Bloomberg revealed that “several hundred” reporters had
used the technique, a person briefed on the analysis said. (Bloomberg
employs more than 2,400 journalists worldwide. A spokesman declined to
comment on the analysis and said no reporters had been fired.)

There are also fears that the monitoring may have gone beyond Wall
Street. Banking regulators at the Federal Reserve are examining
whether their own employees were subject to tracking by Bloomberg
reporters, according to people briefed on the matter. A spokeswoman
for the Fed declined to comment.

There are now more than 315,000 Bloomberg terminal subscribers
worldwide who rely on the desktop computer for research, trading,
communication and a constant stream of financial information and news.

But as it turned out, what the subscribers were doing was not always
confidential. Bloomberg reporters used the “Z function” — a command
using the letter Z and a company’s name — to view a list of
subscribers at a firm. Then, a Bloomberg user could click on a
subscriber’s name, which would take the user to a function called
UUID. The UUID function then provided background on an individual
subscriber, including contact information, when the subscriber had
last logged on, chat information between subscribers and customer
service representatives, and weekly statistics on how often they used
a particular function. A company spokesman said both of those
functions had been disabled in the newsroom.

Terminals never allowed journalists to see specific securities or
trades, but even general hints of what users are searching could
provide a glimpse into Wall Street’s thinking — powerful currency in
the competitive world of financial journalism. Daniel L. Doctoroff,
chief executive of Bloomberg L.P. and a close confidant to the
company’s founder, Michael R. Bloomberg, said in a memo to employees
that “client trust is our highest priority and the cornerstone of our
business.” Mr. Bloomberg stepped away from day-to-day operations when
he became mayor of New York City.

Last month, the company further centralized its data security efforts,
including appointing Steve Ross, a senior executive, to the newly
created role of client data compliance officer.

“To be clear, the limited customer relationship data previously
available to our reporters never included access to our trading,
portfolio, monitor, blotter or other related systems or our clients’
messages,” Mr. Doctoroff said. He posted a damage control message to
clients on the Bloomberg terminal and blog, calling the reporting
practice a “mistake.”

Similar problems, which became public on Friday, started at JPMorgan
Chase last summer, when the bank suffered a multibillion-dollar
trading loss. Some Bloomberg reporters called the bank, people briefed
on the call said, to question whether the traders responsible for the
loss had been fired. They cited the fact that the traders had gone
silent on the terminal. The bank, the people said, objected to the
reporting technique, but did not formally reach out to Bloomberg
executives to complain. Yet bank officials soon discovered that other
Bloomberg reporters were using the approach on other stories unrelated
to the trading loss.

When Goldman raised the issue with Bloomberg last month, the media
company dispatched senior sales executives to Goldman’s Lower
Manhattan headquarters, according to people briefed on the matter. The
Bloomberg officials assured top bank executives, including Gary D.
Cohn, the firm’s president and chief operating officer, that the
problem would be resolved. “We brought this matter to the attention of
the news organization, and senior management at the company assured us
that they were taking immediate measures to address the problem,” a
bank spokesman said.

Matt Winkler, editor in chief of Bloomberg News, also contacted
Goldman to apologize for the incident. In a meeting on Friday, he
reminded reporters of the company’s policy about terminal use and the
employee confidentiality agreement.

Jonathan Corpina, a managing partner at Meridian Equity Partners, said
the incident was a reminder that nothing — not even the seemingly
secure Bloomberg terminal — was private. “It concerns people that what
they are doing is being watched and monitored by people who shouldn’t
be watching and monitoring it,” Mr. Corpina said.

Mr. Bloomberg founded Bloomberg L.P. in 1982 as a financial
information company. The company had revenue of $7.9 billion in 2012
and its high speed, data-splicing terminals occupy a prominent spot on
traders’ desks. Even though Bloomberg News has gained prominence,
counting the weekly magazine Businessweek among its assets, about 85
percent of the company’s revenue comes from its terminals. That
business provides for generous employee perks, and cushions Mr.
Bloomberg’s $27 billion fortune.

In the early 1990s, when Bloomberg L.P. had just started to build its
news division, reporters were encouraged to leverage the terminals as
a way to get a leg up on the competition, said several former
employees who would discuss practices only anonymously. Reporters
often went on sales calls to talk to banks and hedge funds about the
news division to help the company sell terminals. The practice became
much less pervasive as Bloomberg became an established news outlet,
although many Bloomberg veterans still consider the news division
solely a means to sell more terminals.

Thomson Reuters, which sells a desktop financial data product that
competes with Bloomberg and, like Bloomberg, employs thousands of news
journalists, promptly seized on its rival’s headache. “Thomson Reuters
Financial and Risk business and Reuters division operate completely
independently with reporters having no access to nonpublic data on its
customers, especially any data relating to its customers use of its
products or services,” said Yvonne Diaz, a Thomson Reuters
spokeswoman.

Nathaniel Popper contributed reporting.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.