On July 3, 2009, FBI arrested Sergey Aleynikov, a Goldman Sachs programmer, as he disembarked at Newark airport on charges that he violated the Electronic Espionage Act (18 U.S.C. sec. 1832) when he sent company data to an overseas document server.

According to the criminal complaint and supporting affidavit (.pdf) filed in the federal court for the Southern District of New York, Aleynikov was part of the team that developed a high-speed, automated trading system for Goldman Sachs. He resigned and left the company on June 5th, but federal prosecutors allege that in his last four days of work, Aleynikov encrypted and transferred 32 megabytes of source code relating to the automated trading system from Goldman's servers in New Jersey to a privately run document server in Germany.

Below we detail some of the evidence behind the arrest - evidence that demonstrates why adequate workplace monitoring and an appropriate response plan is key in protecting proprietary information.

A review of the criminal complaint indicates that Goldman monitors employee email messages and secure uploads (via HTTPS) originating on company networks and prohibits FTP file transfers from within the company. When a series of file transfers were initiated from Aleynikov's company account, this raised suspicions at Goldman and their internal investigation uncovered a number of details, that may be familiar hallmarks to those who have been involved in responding to the sorts of incidents:

  • Goldman recovered the log of commands issued under Aleynikov's company account, the "bash history" file found in the Unix operating system, which shows that Aleynikov's account was used to make archive copies of company source code. After the copies were made, they were encrypted and renamed and the program used to encrypt the files was erased. Finally, a command was entered to delete the "bash history" file itself. [Note: This is normally the last step taken by savvy employees to conceal improper activities. In this case, Goldman kept back up copies of the "bash history" file, so there was a damning record of an attempt to conceal what the user was doing on company computers. This is one of many ways a savvy technical move may create a not-so-savvy piece of evidence.].  
  • Goldman produced to the FBI its records of Aleynikov's company proxmity identification card. Because Goldman tracks the use of the the proximity card, it was possible for the FBI to ascertain that Aleynikov's card was used to access the company office 30 minutes before Goldman's files were transferred to Germany. Based on this information, the FBI asserts that Aleynikov himself was sitting at the keyboard typing the commands found in the "bash history" file.  
  • Goldman also turned over the logs it maintains of employee remote access to its computers. These logs allegedly demonstrate that Aleynikov issued commands from home on June 4th that sent Goldman files to servers in Germany. The FBI traced the IP address used to log in under Aleynikov's account to internet service provided by Optimum Online / Cablevision. The FBI agent apparently called and spoke with a representative at the service provider who indicated that the IP address found in Goldman's logs was being used by Aleynikov's internet account at the time of the transfer. [The FBI affidavit states that the ISP provided this information by way of conversation, but there is no mention of a subpoena or any other process.]

The FBI apparently conducted a lengthy interview of Aleynikov when he was arrested on July 3rd in which some of the details allegedly were confirmed, albeit Aleynikov apparently stated that any transfer of proprietary code was inadvertent and his intention was only to keep copies of open source materials. According to statements made to Reuters, the German authorities are working with the FBI to secure the transferred files.

This may have derailed Aleynikov's plans to work for Chicago-based startup Teza Technologies LLC. Reportedly, Aleynikov was set to start work for Teza at a starting annual salary of $1.2 million (three times the $400,000 a year he received while at Goldman), but the company has suspended Aleynikov in light of the arrest. Teza has issued the following statement in light of Aleynikov's arrest.

Aleynikov has been released on $750,000 bail. [The transcript of the bail hearing (.pdf) is available, thanks to the folks at ZeroHedge.] In addition, the court restricted Aleynikov's travel and ordered him not to access the data he transfered and imposed monitoring on his use of any computers.

There has been especially good coverage of this incident at ZeroHedge and Reuters.

Links: