GO
Loading...

BAE says it 'incorrectly presented' cyberattack

weerapatkiatdumrong | iStock | Getty Images

An executive at a division of cybersecurity firm BAE Systems "incorrectly presented" an alleged cyberhacking incident involving a hedge fund, a company spokesperson said Wednesday.

The executive, Paul Henninger, global product director for BAE Systems Applied Intelligence, told CNBC in June that his firm had found and stopped a malicious cyber-intrusion into a hedge fund client. Henninger declined to identify the hedge fund.

But on Wednesday, BAE Systems spokesperson Natasha Davies said that the attack Henninger had described as a real event involving a hedge fund had in fact been a "scenario" used by cyber experts inside BAE Systems. CNBC reported on the event on June 19. The original story noted that BAE Systems was the source and that CNBC could not independently verify that the attack had actually happened.

On that day the story was posted on CNBC.com, BAE stock went up 1.6 percent with trading volume higher than usual.

"We offer our sincere apologies," Davies said Wednesday. The attack, she said, "was inaccurately presented as a client case study rather than as an illustrative example."

Asked why BAE had waited nearly two weeks to come forward with its revised account of events, Davies said that employees inside BAE had attempted to get more information on the incident and "it took some time" to conclude it had never happened.

In an on-camera interview with CNBC that aired on June 19, Henninger clearly referred to the attack as a real event impacting a hedge fund client of BAE Systems. "This particular attack happened at the end of 2013," he said in that interview. "It took a couple of months before the firm itself realized that something was wrong. And then it took about a few weeks for the investigation to get to the point where we made the connection between the network anomalies and the trading anomalies. So the actual resolution of the attack was fairly rapid."

In the same interview, Henninger also spoke clearly about the reaction to the attack inside the purported hedge fund: "This was not something that was a minor issue for them, this was something that was getting reviewed at the board level at this hedge fund precisely because it was having a material impact on the performance across the portfolio," he said at the time. (See the June 19 interview here)

On Wednesday, the BAE spokeswoman said Henninger was not available to talk to CNBC, because he is "taking some time away from the business." Asked if the firm had taken any disciplinary action against anyone internally, Davies replied, "at this time, we cannot comment on any employee issue." The company said Henninger did a similar interview on the day that the CNBC story was published online and aired on TV with Bloomberg News. The company said it would be contacting Bloomberg, too, about the inaccuracy.

CNBC's original interview with Henninger was arranged by an outside public relations firm called Articulate Communications. On Wednesday, a spokeswoman for the firm said that Articulate pitched CNBC the story "based on approved content from BAE Systems Applied Intelligence." She referred all further queries to BAE.

"There has been an enormous amount of interest in cyber attacks on the financial sector," said a BAE Systems Applied Intelligence spokesperson. "From the extensive amount of cyber incidents we deal with, we occasionally produce anonymized illustrative scenarios to help inform industry and the media. We now understand that we recently provided CNBC with an example referencing a hedge fund and incorrectly presented it as an actual BAE Systems Applied Intelligence client case study rather than an illustrative scenario.

"Although the example was a plausible scenario, we believe that it does not relate to a specific company client," the spokesperson added. "We sincerely apologize for this inaccuracy. We are taking the necessary action to ensure this type of error does not occur again."

BAE's Davies said BAE Systems is reviewing its internal procedures following the incident and that it "does not appear to have been anything malicious." Nonetheless, she said "we want to make sure this kind of thing doesn't happen again."

—By CNBC's Eamon Javers

Contact Cybersecurity

  • CNBC NEWSLETTERS

    Get the best of CNBC in your inbox

    › Learn More

Squawk Alley