Last month, BAE Systems’ Paul Henninger breathlessly reported that a “major” U.S. hedge fund had fallen victim to a spear phishing cyberattack after an apparently dull employee clicked on link he or she shouldn’t have. This was very bad news: The attack went on for two months and totally fucked up the hedge fund’s high-frequency trading strategy—which vulnerability did not stop the hackers from wanting to steal it, which they also did, according to Henninger. “It was having a material impact on performance across the portfolio,” he said, forcing the hedge fund’s board to “review” it.
Now, this was all very convenient for BAE Systems, whose business it is to sell network-security services to, among other entities, hedge funds. And the FBI and something called the Center for Financial Stability thought it worth getting together to do something about it after “news about cyber-attacks against a major unnamed hedge fund.”
Unnamed, perhaps, because it didn’t actually happen. But that’s OK, according to BAE, because it totally could actually have happened, even if BAE has no more evidence to support that claim than its last.
The attack was one of several “illustrative scenarios” that BAE internally developed and was “incorrectly presented” as authentic, Natasha Davies, a company spokeswoman, said in a telephone interview today….
“Although the example was a plausible scenario, we believe that it does not relate to a specific company client,” Davies said. “We sincerely apologize for this inaccuracy. We are taking the necessary action to ensure this type of error does not occur again.”
Among which actions are making Mr. Henninger lay low for a little while.
Henninger, while still employed by BAE, is “taking some time away from the business,” Davies said.
BAE Says Hedge Fund Attack on Hedge Fund Wasn’t Real [Bloomberg/actual headline]