Bloomberg Posts 10,000 Private Messages Over the Internet

A news report says the beleaguered Bloomberg financial data and news service accidentally posted online more than 10,000 private messages between traders and clients at some of the world’s largest banks.

A news report says the beleaguered Bloomberg financial data and news service accidentally posted online more than 10,000 private messages between traders and clients at some of the world’s largest banks. The breaches, said to be part of a former employee’s data mining project, took place in 2009 and 2010.

The revelation, first reported by The Financial Times, will do little to restore public confidence in the company’s data security after its editor-in-chief had admitted just hours early on Monday that the news agency had allowed its journalists access to confidential client data since the 1990s.

“Our reporters should not have access to any data considered proprietary. I am sorry they did. The error is inexcusable,” wrote Matthew Winkler in an opinion piece on the Bloomberg Web site. “Last month, we immediately changed our policy so that reporters now have no greater access to information than our customers have. Removing this access will have no effect on Bloomberg news-gathering.”

The company is being investigated by a number of agencies, including the European Central Bank and U.S. Treasury and U.S. Federal Reserve, after senior executives at Goldman Sachs complained that a Hong Kong-based Bloomberg reporter had called to ask about a partner’s employment status after noticing the person hadn’t logged into a Bloomberg terminal for some time.

Winkler said the company’s reporters had limited access to data, including login histories and “high-level types of user functions on an aggregated basis, with no ability to look into specific security information.”

The company supplies financial terminals to traders, regulators and central bankers worldwide for about $20,000 annually. It reportedly has more than 315,000 terminal subscribers, who use the service to gather real-time data on markets and instant message each other.

On Friday, the CEO and president of Bloomberg LP, the parent company, posted on the Bloomberg Blog that reporters never accessed “trading, portfolio, monitor, blotter or other related systems or our clients’ messages.”

“Last month we changed our policy so that all reporters only have access to the same customer relationship data available to our clients,” wrote Daniel Doctoroff on Friday. “Additionally, we decided to further centralize our data security efforts by appointing one of our most senior executives to the new position of Client Data Compliance Officer. This executive is responsible for reviewing and, if necessary, enhancing protocols which among other things will continue to ensure that our news operations never have access to confidential customer data.”

The latest breach involving more than 10,000 messages was discovered by a Financial Times reporter doing a Google search. After the journalist contacted the company for comment on Monday, the confidential lists immediately removed from the Internet.

The private messages were part of a data-mining project being done with a client’s consent by an employee who is no longer with the company. They involved confidential exchanges between traders and their clients at dozens of the world’s largest banks and had been available for public consumption for several years.

New York City Mayor Michael Bloomberg, the majority owner of the financial information company, has not been involved in daily operations for a number of years, including since he took office in 2002. He has refused to comment on the privacy and security breaches, citing an agreement with the city’s Conflicts of Interest Board.

Suggested articles

have i been pwned open source

Have I Been Pwned Set to Go Open-Source

Fully opening the door to allow people to contribute to – and notably, tinker with – the code for the data-breach information service will be an entirely next-level effort, according to founder Troy Hunt.

Augmenting AWS Security Controls

Augmenting AWS Security Controls

Appropriate use of native security controls in AWS and other CSPs is fundamental to managing cloud risk and avoiding costly breaches.


Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.