In a case that highlights the importance of enterprise data security, an information technology worker has been arrested over allegations that he stole confidential insider information from Bank of America Merrill Lynch which he then shared with others to make investments in stocks.

Thirty-two-year-old Daniel Rivas, described only as a “former IT employee,” is alleged to have used his position at the investment bank for “serially misappropriating material, nonpublic information from the Investment Bank’s Deal Tracking System” and then “passing that information along to friends so that they could utilize it to make profitable trades.” Rivas is claimed to have on more than 50 occasions between August 2014 and April 2017 accessed information about merger-and-acquisition and tender offer transactions and then passed that information on to his friends.

Where the story gets more interesting is that the Department of Justice claims Rivas passed along some of the insider trading tips to his then-girlfriend in the form of love letters. Another man arrested, an associate of Rivas called Michael Siva, is described as working at Morgan Stanley and using his position at the firm to make the inside trades.

Given that it would appear that Rivas was never a high-ranking IT employee, the case highlights concerns about data access on enterprise networks. While corporate hacking gets all the attention, experts note that company insiders represent a larger risk to data compromise than outside hackers.

“The insider-trading charges brought against Daniel Rivas… [are] a powerful reminder of the damage that can be caused by malicious insiders and highlights the critical need for managing and controlling access to information and systems,” Gerrit Lansing, chief architect at information security company CyberArk Inc., told SiliconANGLE.

Explaining that the challenge of dealing with insider data management was a difficult one, Lansing described it as “human challenge.”

“Despite excellent training and awareness, it’s simply impossible to accurately predict who may access or leak sensitive information,” he said. “No training is 100 percent effective in stopping potential threats or helping colleagues identify precursor activity that may indicate malicious intentions. This is why technology must be combined with training to identify potential issues, enforce access rights and even automatically shut down unsanctioned activity.”

Lansing says that to combat the risk, enterprises must start with controlling and monitoring access to privileged accounts as “these are the most powerful accounts in any organization,” providing broad access to systems and devices.

“As this insider case shows, companies often fail to secure these accounts to prevent users form abusing them like this,” he said. “They too often focus on the person, not the power they have. These accounts are also anonymous – so unless you’re monitoring behavior of the accounts, you don’t know who is using them.”

Photo: jeepersmedia/Flickr