Geneva, Switzerland (GenevaLunch) – Europe’s largest bank made a startling confession, accompanied by an apology, to its clients 11 March: Britain’s HSBC said it had been given evidence by the Swiss Federal Prosecutor that a Geneva office employee stole data linked to 24,000 client accounts and tried to sell the information abroad. The employee, Hervé Falciani, had tried to flog that data to Lebanon in 2008. His failed attempt was the start of the unraveling of his theft scheme. Evidence of efforts by Falciani and a female companion for the first time linked his name to the theft, which the Swiss government had been investigating for several weeks.
Human factor is the real risk for an international company with secrets
It also drew attention to a significant problem for international companies that have any private data, from client information to research and development data: It takes a human being to steal for personal gain, so knowing staff well is as critical to security as a good IT system. Laws inside a country may protect corporate secrets and privacy, but once international boundaries are crossed the issue of countries not extraditing their own citizens can become an issue.
Thief, spy saga victim or honest whistleblower: Falciani’s many faces
Hervé Falciani was not, as first media reports in July 2009 implied, a relatively young outsider at the bank. Nor was he a whistleblower, a label he tried unsuccessfully to give himself when the public spotlight turned on him. The evidence that he was involved in some kind of secret agent deal appears to be believed by no one but Falciani.
The label of whistleblower, more socially correct than that of thief, has lingered, in part because of media reports that imply he stole the data for some greater good. Reuters, in a 12 March article, lumps Falciani in with whistleblowers, but further down in the story notes that German reports show he tried to sell the information to Germany for $3.39 million.
France, for its part, raided his house to get hold of the data after Switzerland informed the French government of the theft and asked, under the terms of a bilateral treaty, for judicial assistance. France initially refused to give the data to Switzerland and gave Falciani a new, safe identity in the south of France. France does not extradite its own citizens. It is unclear if Switzerland knew when it asked for judicial assistance, the extent and type of data stolen.
The French public prosecutor in Nice, who initially referred to Falciani as giving the data because of his desire to do good, suggested some 130,000 bank accounts were involved. HSBC initially thought only 7-10 accounts were linked t the theft, but it was not shown any evidence until 3 March 2010, by either the Swiss or French governments. HSBC in Geneva has a total of 100,000 accounts and says no accounts outside the Geneva office of the bank are involved.
HSBC goes public with facts on ex-employee
Here is what HSBC, which spoke publicly about him for the first time 11 March, says about Falciani:
- A trusted employee who for many years had been with the Group in the IT department and, as a result, had access to a large amount of data in the course of his normal professional activities, as did a handful of other staff members who did not steal data
- Worked at the end of 2006 as a technical analyst on a data migration involving client records, and, according to our findings, took the opportunity of this specific data migration to transfer records onto personal devices
- Obvious intention of theft and malicious intent: according to information published in the press, he tried in spring 2008 to sell the files originally to several banks in Lebanon and, it seems, to various authorities; he transferred them onto his private computer; he fled to France from questioning by the Swiss prosecutor; he has since tried to invent a fantastic story about kidnapping and secret services to cover up his actions
- Has tried to position himself as a whistleblower within the organisation, but we have no record of his reporting or suggesting anything to his supervisor.
- It is unclear how HF managed to physically steal the data
- Since 2006, the bank has been constantly upgrading its systems and has dedicated a large proportion of the IT budget to improving our systems and security
- The determinant factor in this affair is the human one: IT is not the real issue, and data theft is becoming an ever-more serious preoccupation within the industry.
- A criminal investigation was initiated by the Swiss Federal Prosecutor in summer 2008, following an attempt to sell the data to Lebanese banks. The name of HF will be linked to this attempt for the first time on 22 December 2008
- The bank files a charge against HF for suspicion of misuse of economic intelligence, extraction of confidential data, violation of commercial confidentiality and violation of banking secrecy and other offences committed to the detriment of the bank but also of the Swiss Confederation (présomption de service de renseignements économiques, de soustraction de données, de violation du secret commercial et de violation du secret bancaire)
- The affair is still under investigation by the Swiss Federal Prosecutor and the bank refrains from commenting on any legal issues linked to this case.
Ed. note: in Switzerland Falciani is generally referred to by his initials, HF, the norm for people involved in court cases because of Swiss privacy laws, although if the figure is clearly a public figure the name is sometimes mentioned. In France and on the Internet his name and that of the woman Le Monde refers to as his mistress, have been widely published. Falciani, who now has a new name, has gone on television in France to talk about the crime.