Post Mortem of GunnAllen IT Meltdown

CowboyRobot writes "The story begins when GunnAllen, a financial company, outsourced all of its IT to The Revere Group. Before long, it was discovered that 'A senior network engineer had disabled the company's WatchGuard firewalls and routed all of the broker-dealer's IP traffic--including trades and VoIP calls--through his home cable modem.' In addition to the obvious security concerns of sending information such as bank routing information and driver's license numbers, the act violated SEC rules because the routed information was not being logged. Regardless of whether the cause was negligence, incompetence, or sabotage, the matter was swept under the rug for a time until unpaid SQL Server licenses meant threatening calls from Microsoft as well. The rest of the story is one of greed, mismanagement, and neglect, and ends with the SEC's first-ever fine for failure to protect customer data."

Re:HAHA

[El Puerco Loco]

'A senior network engineer had disabled the company's WatchGuard firewalls and routed all of the broker-dealer's IP traffic--including trades and VoIP calls--through his home cable modem.

That's got to be the funniest thing I've ever read on /. Seriously, it sounds like something from an Onion story.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Outsourced

[AK Marc]

For the same reason they don't oursource their upper management. After all, CEOs cost money, why not outsource CEO to a management company and cut costs. After all, they are a finance company, not a management company, so all their management should be outsourced.

Re:Outsourced

[JDG1980]

They are a finance company. Not an IT one

If you run any business beyond the level of a mom-and-pop restaurant, you are in the IT business whether you want to be or not. The only question is whether you will leverage IT as a strategic asset or be outcompeted by those who do.

Re:Outsourced

[AK Marc]

Consultants are often used for outsourcing blame, rather than outsourcing capability. "Oh, our consultant recommended that."

Re:Outsourced

[Rhinobird]

Eventually the people in charge are going to realize that any kind of financial institution is basically a database on the internet that holds and exchanges account information. And then they're going to turn ghostly white as they realize all these strangers are touching the equipment that, in a very real sense, IS the bank, er, financial whatever...or worse, those strangers OWN the equipment that IS the financial gobstopper.

And then, at least in finance, outsourcing IT will be seen as a form of insanity.

Re:Sigh...

[girlintraining]

A financial company outsourcing its IT ought to be considered criminal negligence.

Outsourcing IT isn't the problem. A failure to oversee the IT services provided was the problem; A complete lack of auditing and process control. I wish people would stop looking at outsourcing as somehow evil; It makes sense in a lot of cases. Most corporations have other companies contracted to replace and maintain printers. Most office printers have the ability to retain all documents printed from it, locally, to a harddrive inside it. That isn't a problem by itself -- unless you don't know that the functionality is enabled, and don't audit or remove the drives before the printers are rolled out the front door with all your confidential data... that you thought was secure because you had a contract to shred all your documents.

The story of GunnAllen's criminal negligence starts with the CTO and board of directors -- who fired people for coming forward with security problems, and had a very obvious closed-door policy. Nobody with the parent company wanted to hear about problems, and it's no surprise that the firm they contracted with heard that loud and clear -- and propagated the same attitude right on down the line. "See no evil, hear no evil" often leads to a lot of people doing evil.

GunnAllen's story is one being repeated by the thousand every morning of every workday across our industry. Managerial incompetence leads to otherwise trivial problems becoming fines, bankrupcy, and lawsuits. This story is not about the failures of IT -- IT was involved, but it was not that failed. It was the people at the top... and when the extent of the damage was finally discovered by the government, they tried to pin it all on former employees and the people under them. I'd like to know where those managers are now; Because I know they'll eventually find themselves in another position of power at another company. Whereas all the engineers and people who actually worked for a living, well... we all know what happened to them, whether the article says so or not.

You want to fix problems like this: Start with accountability.

Re:Sigh...

[LordLucless]

I'd have to disagree. We have our own in house IT department... but a small part of our business is providing outsourced IT. And our stuff ridiculously overbuilt and robust.

It's not about robustness in these instances. It's about power and accountability. When you have hugely sensitive information (medical records, credit card details or financial records) you must be in control of your own systems. While downtime sucks, downtime is often better than data compromise in these cases.

Re:Negligence, Incompetence, or Sabotage?

[GSloop]

It sucks on your end but on the other end you always get great service by demanding more for less.

I have news for you. People have the most ingenious ways of paying back arseholes. Thus, you don't always get great service by demanding more for less.

As a matter of fact, you may [meaning almost certainly WILL] get pretty bad service when you treat people badly - by continually demanding more for less, past the point of reasonableness and fairness.

Unions can be a big help in stopping BS like this

[Joe_Dragon]

Unions can be a big help in stopping BS like this from happening.

When you have people purposefully break things just to look good for the bosses that's bad even worse is sweeping security and other issues under the rug.

Hard time reading train wreck stories

[HangingChad]

It's hard reading IT train wreck stories, especially when the damage is self-inflicted. And yet I saw that same attitude, on both sides of the transaction, acted out over and over.

A long time ago a CIO I worked for said he wasn't worried as long as he had a throat he could choke if things went sideways. The only thing he cared about was having somewhere to cast blame.

Those were the days I naively cared about doing a good job.

Re:HAHA

[dbIII]

However no jail time. Refusing to disclose a password in case it's used by such an incompetent carries jail time, but being deliberately criminally incompetent does not. It's a pretty nasty lesson we are teaching the next generation.

Re:Hard time reading train wreck stories

[Turminder Xuss]

The five stages of IT projects: 1. Wild Enthusiasm 2. Cold Reality 3. The Hunt for the Guilty 4. Bayoneting the Wounded 5. Promoting the Absent

Re:Wait a minute...

[Bill_the_Engineer]

Even with funding, the DoJ would be pretty useless. I'll just trot out the current Republican talking points about Fast and Furious since they'll illustrate a good reason why the Republicans wouldn't be inclined to fund the Department of Justice.

You could but then again I could just trot out the bananas can't be considered oranges.

I hate to be the one to break it to you, but the reason politicians love to underfund enforcement is to offset the showboat regulations that they pass in order to be re-elected. This way they said they passed laws that are designed to protect us from harm, while at the same time the chances of that law actually being used is low enough not to piss off the people who actually fund the politicians campaigns.

Pointing to incompetence or the occasional misstep brought on by the underfunding of enforcement as an example of why we should fund government law enforcement is part of their plan. You don't actually think they would point out the overwhelming majority of things that the government does right? That would discredit the fairytale that they are trying to sell you.

This is why the republicans in particular have been doing a shitty job. If the government is seen as doing the right thing then they wouldn't have a platform to run on. The number one reason that a republican filibusters every single bill of significance is to prevent the democrat president from looking good. Never mind that shitty legislation was passed with overwhelming support when there was a republican president. During the Bush years the attitude of the republicans was that it was okay to borrow money in order to keep taxes low because the interest being paid was offset by the nation's GDP. The day after a democrat is president, those same republicans immediately are concerned that we are borrowing too much money and selling our children to China. The amount of hyperbole that is spewed is ridiculous.

I just find it laughable that someone would vote for a candidate that is more concerned with what would make his party look good than what is good for the nation. One key sign that this is taking place is the more they try to hurt the country to prop themselves up, the more they wrap themselves in the American flag and claim to be patriotic.

Beware of the politician that campaigns on the platform that government sucks and reelect him and he'll keep it that way.

Re:HAHA

[tibit]

Protip: the world is full of people who do stupid shit for apparently no rational reason at all. There.