The Federal Bureau of Investigation announced that its complaint against Bo Zhang had been unsealed. Zhang was arrested and charged Jan. 18 for stealing proprietary code used by the Department of Treasury in its Government-Wide Accounting and Reporting Program. The program, which is used to track government finances and issue account statements for federal agencies, cost an estimated $9.5 million to develop.
Zhang, 32, of Queens, N.Y., reportedly admitted to authorities he copied the code and used it as a training tool for a personal side business. He now faces up to 10 years in prison and a $250,000 fine.
The source code is maintained by the Federal Reserve Board of New York. Zhang allegedly accessed the code between May 2011 and Aug. 11, 2011, while working as a contracted programmer at the Federal Reserve Bank in New York.
Mike Braatz, senior vice president and general manager of bank fraud for Memento, a fraud-management software services provider, says what's notable about the case is that the Federal Reserve is taking the threat seriously by prosecuting the suspect. "But," he adds, "the fact that this type of breach was able to go unnoticed until the suspect notified his supervisor is further evidence that organizations of all types can and should be doing more to monitor the activities of insiders and detect and investigate suspicious behavior."
"Zhang took advantage of the access that came with his trusted position to steal highly sensitive proprietary software," she said. "His intentions with regard to that software are immaterial. Stealing it and copying it threatened the security of vitally important source code."
According to court files, Zhang was hired last May by an unnamed consulting firm that had been brought in by the Fed to work on computers. Investigators uncovered the breach after one of Zhang's colleagues told a supervisor he had lost a hard drive containing the code.
Julie McNelley, a research director and fraud analyst for Aite Group, says the case reinforces the value of information. "It's not just money that's the target, but also intellectual property, which can then be monetized in a variety of ways," she says. "As organizations are looking to secure their infrastructure, they need to be aware of all the ways in which valuable data could be exposed and stolen, and implement technologies and procedures to mitigate that risk."