Meet Europe’s Favorite Data Thief

Hervé Falciani

Photo by Valery Hache/AFP/Getty Images

When Hervé Falciani, a former IT worker at HSBC, exposed billions of euros’ worth of financial fraud, he became both a thorn in the side of his ex-employer and a hero to tax regulators across the European Union. Swiss authorities are eager to prosecute him for stealing confidential banking information, but at a time when EU governments are desperate to find any new source of revenue they can—even back taxes—they are likely to be less and less sympathetic to Switzerland’s zeal. Last week, Falciani’s extradition trial began in Spain, where officials don’t seem willing to hand him over.

Falciani, a French and Italian citizen, was working at the Geneva branch of HSBC Private Bank when he learned about thousands of clients who were using offshore accounts to avoid paying taxes in their home countries. He says colleagues at the bank recorded the data and gave them to him to report to authorities. (HSBC disputes that and says he stole the information.) The files he received contained confidential information about at least 24,000 HSBC customers—and now European tax authorities are scrambling to track down these tax evaders.

Falciani has been living in Spain since he fled there last July. The Spanish seem unwilling to extradite him to Switzerland because he has been so helpful to investigations into tax evasion, money laundering, corruption, and terrorism financing, according to the AP. At his extradition hearing in Madrid on April 15, Spanish prosecutor Dolores Delgado told the court that the financial fraud that Falciani uncovered added up to 200 billion euros ($260 billion).

Digital activists rarely have such an immediate or widespread impact from their corporate hacks. Then again, nor does the typical hacktivist have access to 24,000 client accounts in the course of their everyday jobs, at a multinational banking firm with assets totaling nearly $2.7 trillion.*

Whether anyone else could pull off anything at this scale in the future remains to be seen. Falciani stole the data between 2006 and 2007 and blew the whistle with an email to European tax regulators in 2008, but HSBC didn’t publicly acknowledge the details of his theft until March 2010. In the same breath, the bank also tried to assure the public that it had made “significant improvements” to security procedures, to prevent a breach like this from happening again.

The former bank employee presents himself as a reluctant whistle-blowing hero: “I am not Robin Hood, I’m not a mercenary. I acted like a citizen,” he has said. He’s denied that he received any payment from any government for handing over the files—but the German government says it paid 4 million euros (more than $5.2 million) for a copy of the disc. For Germany’s part, that fee was a relatively small price to pay, as the information on the CD will allow it to crack down on the 10,000 Germans who have collectively avoided 500 million euros (more than $650 million) in national taxes by using offshore banks.

Falciani has said that he tried to tell Swiss authorities about the misconduct he saw at HSBC, but they wouldn’t let him make the complaint anonymously. He said he then passed the information on to French authorities, and Christine Lagarde, France’s former Finance Minister and current head of the International Monetary Fund, in turn gave it to the United States and several members of the EU.

But Falciani’s situation could be different if he lived in the United States. Judicial protections for corporate whistle-blowers in America are relatively strong—especially those who are exposing tax fraud, Dean Zerbe, an attorney and senior policy analyst at the National Whistleblowers Center, told me in an interview Friday.

I was curious about whether an IT worker who had obtained, recorded, and distributed confidential data from a financial institution would face legal risk. While corporate whistle-blower laws in the United States offer strong protections to the individual, the country still has rather draconian laws protecting companies from system hacking and data theft—a fact that was illustrated most starkly and tragically in the case of Aaron Swartz. So which type of law would apply here?

Zerbe said he thought that, despite the fact that this scenario involves data theft, anti-computer-fraud laws most likely would not go into effect if a case like this came up in America. He explained that authorities would look closely at the motivation of the data thief. If someone were to steal an employer’s data to sell it to a competitor for personal gain, that wouldn’t be protected by U.S. law, of course. But if the data theft were originally intended to stop illegal activity, then that would be protected—even if the government later awarded the tipster with money. Whistle-blowers are also kept anonymous, says Zerbe.

That makes the latest chapter in Falciani’s saga, reported by the AP on Sunday, particularly noteworthy: He claims that he did, in fact, contact the U.S. Justice Department about his case, and that American authorities were the ones who advised that he go to Spain, which would be the safest place in Europe at that time.

“They told me that from that moment my life was at risk,” Falciani told the Spanish newspaper El Pais. (American authorities declined to comment to the AP for their article.) In El Pais’ description of the interview, “Falciani used his finger in a side-to-side horizontal movement across his neck to reinforce the point that his life was in danger.”

*Correction, April 23, 2013: This blog post originally stated that HSBC is worth more than $2.7 trillion. Instead, its assets total close to $2.7 trillion.