Assignment 2: Review of Business Fraud
ACC 565 – Accounting Information Systems
July 28, 2012

Summary of United States vs. Bo Zhang

Bo Zhang, a Chinese computer program, was a contract employee assigned to the Federal Reserve Bank of New York (FRBNY), between May 2011 and August 11, 2011, to work on further developing a specific portion of the Government Wide Accounting program (GWA) source code (FBI, 2012). Mr. Zhang was not a United States citizen and was here on a VISA. The United States had spent approximately $9.5 million to develop the GWA code. The FRBNY was given the task of moving the Government Wide Accounting program, developed to help track the billions of dollars the United States government transfers daily, from an antiquated IBM mainframe computer to the Internet, according to a person familiar with the project (Chicago Tribune, 2012). In the summer of 2011, Zhang stole the GWA Code and, without authorization from FRBNY, copied it onto his hard drive at the FRBNY and an FRBNY-owned external hard drive. He then transferred the code to his private office computer, his home computer, and his personal laptop (FBI, 2012). Zhang used the GWA code to access the government system and submit fraudulent documentation to immigration authorities to help foreign nationals obtain visas to enter and work in the United States. Zhang falsely represented to immigration authorities that certain foreign nationals worked full-time for his computer training business. At least one individual fraudulently obtained a visa in connection with Zhang’s offense. What had trigger Zhang being caught was he told a colleague one of his hard drives holding the code had been lost. The colleague immediately told his supervisor and the bank's officials alerted the FBI (FBI, 2012). The GWA code gave Zhang access to the United States government’s finances. This included ledger accounting for each appropriation, fund, and receipt within the Department of Treasury. Bo Zhang used the access to forge documents to give Chinese immigration VISA to the U.S. Stealing proprietary government software worth nearly $10 million using little more than a mouse had government officials and investigator worried they were vulnerable to cyber attacks. This concern was accelerated when Bo Zhang was arrested in 2012 which was five month after his employment date because they did not know for sure who else had the GWA code and could access the system. If attacked there were direct concerns accounting information could be altered or malicious virus could launched wiping ok critical data. FBI investigators questioned Zhang on August 11, Zhang admitted taking the code "for private use and in order to ensure that it was available to him in the event that he lost his job," the complaint said (FBI, 2012). Zhang’s thievery put the U.S. government at risk and made them vulnerable to outside attack. If executed correctly this could have caused the Federal Reserve Bank to lock done daily activity which would have affect U.S. business and individuals. “Zhang, 32, of Queens, New York, pled guilty to one count of theft of government property and one count of immigration fraud. He faces a maximum term of 20 years in prison (FBI, 2012).” Zhang will be sentenced by United States District Judge Paul G. Gardephe on October 1, 2012 at 10:00 a.m. for 18 months in prison, $30,000 in fines, and was subject to deportation after his time was severed (FBI, 2012).
Fraud Classification of the Case This case is an example of data leakage. Data leakage is unauthorized copying of company data (Romney/Steinbart, 2012). Data leakage has many different formats. The formats include printed, digital media, data in motion, data at rest and data at endpoints (IRS, 2012). This case is data at the endpoint. “Data at the endpoints refers to endpoints of a network where the data is being used. Since this is where most FTI data is accessible, this type of digital media form warrants the greatest concern for potential data leakage. Employees or contractors could copy restricted data onto a mobile media device, physically remove it from the agency’s facility or print and distribute it without knowledge of the violation. Consequently, FTI data that is on a PC could be copied to back-up storage located at a contractor’s off-site facility as a component of an agency’s automated back-up procedures (IRS, 2012). Mr. Zhang data leakage was in the format of data at the endpoints where he copied the GWA software onto the government’s external hard drive then from there to a private company computer and to his home computers. He then used the GWA software on unmonitored systems to commit the immigration fraud.
Types of Controls in Place The Government did have user access controls as that is Mr. Zhang copied the GWA code and software to other computers. The government also had proper employee training of security. The one preventive control that led to the detection of the crime committed by Mr. Zhang and that was the preventive control of training. Preventive controls are controls that determine problems before they occur. Training of employees is important and teaches employees security measures are important to the organization long-run survival (Romney/Steinbart, 2012). The training of employees is what led the employee that was told by Mr. Zhang he had lost on of his external hard drives that contained the GWA code. When the employee heard this he/she immediately told the proper government authorities. The employee knew that the lose of external hard was a security breach because of proper employee training and led to the capture of the crimes Mr. Zhang had committed.
New Government Controls Information security is important to the protection of accounting information system. In this case the Government lacked proper information security controls with is what allowed this information breach. Two controls that could have been put into place that would have prevented this theft of the GWA code and system are authorization controls and network access controls. Authorization is the process of restricting access of authenticated users to specific portions of the information system and limiting what actions they are permitted to view and perform (Romney/Steinbart, 2012). In the case Mr. Zhang copy of software to no work computers has the GWA code that gave him unlimited access to all the Government Information System. If he had been assigned an access code that required him to log onto the system he could have be lock out of being able to download the GWA system onto an external hard drive. Instead he had unlimited access so he was able to download the GWA software and steal the GWA code give him all the access he need to commit the crime. The other control is the network access controls. Mr. Zhang accessed the government information system from non-government computers. The government project Mr. Zhang was working on was to move the daily activate from the antiquated main frame to the internet. If the network access controls were in place that only allowed government approved computers to be able to access the GWA then Mr. Zhang would not have been able to gain access the Government system even with the software. For example, when Mr. Zhang copied the software onto his private computer at the office he would not have been able to get into the GWA system as it would not have recognized his computer credentials. Having proper information security measures can help protection the information system.
Punishment
Immigration fraud and theft of government property was what Mr. Zhang was convicted for with the maximum sentence of 20 years and deportation. The acting judge sentenced him to 18 years in prison, $30,000 in fines and with the chance he would be deported after his jail time. There was another case of immigration bribery where U.S. government official took brides to allow immigrates into the U.S. His maximum sentence time for the over 36 counts of bribery was 256 years and he was sentenced for 17 years (WSJ, 2011). Mr. Zhang crime was caught quickly and only one immigrate was allowed one visa and he had not sold the GWA code or software. The courts look at the crime, the damage done, and the length of the crime was being committed to determine the punishment. The only part I disagree with it that the judge left the judgment of deportation open ended. I believe with the theft and fraud committed Mr. Zhang’s VISA should have been revoked and he should be deported by to China after his prison term. However, I am not a judge and there could have been a reason the deportation was left open ended like if he was being deported the Chinese government could have requested Mr. Zhang be deported before he served his jail time in the United States. Based on time sentenced for other cases and the damage that was done my Mr. Zhang I believe his sentenced time was appropriate.

References

FBI. May 29th, 2012. Computer Programmer Pleads Guilty in Manhattan Federal Court to Stealing Proprietary Code from the Federal Reserve Bank of New York and to Engaging in Immigration Fraud. Retrieved from (http://www.fbi.gov/newyork/press-releases/2012/computer-programmer-pleads-guilty-in-manhattan-federal-court-to-stealing-proprietary-code-from-the-federal-reserve-bank-of-new-york-and-to-engaging-in-immigation-fraud

IRS. (2012). Preventing Data Leakage Safeguards Technical Assistance. Retrieved from http://www.irs.gov/privacy/article/0,,id=201295,00.html

Katz, Basil. May 29th, 2012. Chinese man pleads guilty to NY Fed cyber theft. Chicago Tribune. Retrieved from http://articles.chicagotribune.com/2012-05-29/news/sns-rt-us-usa-crime-fedbre84s1fi-20120529_1_software-code-cyber-attacks-security-checks

Romney, B. Marshall & Steinbart, John Paul (2012). Accounting Information Systems. Upper Saddle River, NJ. Prentice Hall.[pic][pic]