On April 20, William Entriken decided to break a non-disclosure agreement, even though he knew doing so put him at risk of getting sued. It was an agreement he'd signed back in 2008, after reporting a cybersecurity vulnerability to a stock-trading firm called Zecco. Nowadays Entriken is the general manager at a medical education company, but the unfinished business was bothering him.
In October 2008, Entriken discovered that Zecco was implementing trades in an insecure way. Transactions couldn't be definitively attributed to a particular user. Anyone who used the correct URL could execute a trade on anyone else's behalf, and there would be no way to determine the legitimacy of the transaction, or lack thereof.
When Entriken reported the vulnerability, known in hacker parlance as a zero day, he did so with the expectation that the company would move quickly to patch it. Instead, Entriken told Inc. that the company deceived him and did their best to cover up the issue, all while refusing to fix the problem and endangering users.
Executives who presided over the suppression soared in their careers not long after. In particular, Zecco CTO and later CEO Michael Raneri went on to found another startup and eventually land at a prestigious consulting firm.
Nowadays Zecco is called TradeKing (after a 2012 merger) and owned by Ally Financial. The executives who Entriken tangled with have cashed out and moved on. Michael Raneri, the CTO at the time, is a managing director at PricewaterhouseCoopers. On Raneri's behalf, PwC declined to elaborate on the issue: "This is a personnel matter, and therefore we would not have any comment," a spokesperson said.
Zecco's CEO at the time, Jeroen Veth, currently works with Dutch Capital Group. Veth did not respond to a request for comment by press time. TradeKing owner Ally Financial told Inc., "These allegations occurred nearly nine years ago [and] therefore we aren't in a position to offer comment. However, we would like to assure our clients that TradeKing takes security very seriously and will continue to do so as part of Ally."
In his blog post, Entriken explained why he decided to go public after a decade of NDA-enforced silence. The executives he spoke to "made it very clear [that] their sole intention was to prevent public disclosure of this incident, rather than actually fix the problem," Entriken wrote. The cybersecurity vulnerability that he unearthed affected at least 100,000 users, but it was left unaddressed for a year or more.
"Basically, this is beyond a rookie mistake, what they had done," Entriken explained in a phone call. "Anybody who learned anything [about computer science] in high school would not make this mistake. And so, I told them, 'There's no way you've had anybody else call you with anything at this level. You would be out of business. You would have been hacked. If I'm telling you about this, somebody else is not telling you, and they're just taking your money from you.'"
Entriken continued, "So [Michael Raneri] was bulls---ing me," when the executive said that he would take care of the vulnerability. "And he won," Entriken said bitterly. "He tricked me into signing the NDA," by implying that the company would hire Entriken as a contractor to help fix the issue. It didn't work out that way. "The end result was, he immediately and completely ignored [the problem], just 100 percent ignored it and did nothing. And the end result is he got promoted to CEO, then he sold the company, and became a partner at [PwC]."