ISLAMABAD (Reuters) - Pakistan's Karachi Stock Exchange is investigating whether staff profited from years of unauthorized access to real time trading data in a market that has rocketed more than 450 percent since 2009.
The potential breach came to light after two whistleblowers accused senior staff of accessing sensitive trading data through a secure network and accessing emails without authority, according to confidential documents seen by Reuters.
Some board members expressed concern the access could have allowed the staff to benefit because they knew of individual buy and sell orders, the documents show.
Any suggestion that staff may have illegally profited from having access to real-time market data stands to deal a blow to the KSE, where about a third of shares freely available to investors are held by foreigners.
In the first public acknowledgement of the potential breach, KSE Managing Director Nadeem Naqvi told Reuters an investigation was underway into whether any individuals profited.
"My primary focus from day one has been data security," he said. "The integrity of the exchange depends on this."
With a market capitalization of $54 billion, the KSE is Asia's third-smallest stock exchange in U.S. dollars among those monitored daily by Thomson Reuters. Only Vietnam and Sri Lanka are smaller.
Last year, the Karachi 100 stock index rose 38 percent in U.S. dollar terms, making it the 10th best performing stock market in the world.
The index soared to a record of more than 27,200 points in January from less than 5,000 points in early 2009.
Pakistani consultancy Sidat Hyder Morshed Associates, which was asked to investigate by the KSE, said in a report in December that senior IT staff were able to read staff emails and monitor trades conducted through secure systems in real time.
It said "some IT staff" had this access, without giving a precise number. These members of staff could monitor individual unique identification numbers that track trading activity.
The report also noted that former manager director, Adnan Afridi, had access to such trading data. He said this was because market surveillance teams reported to him.
"There was no impropriety," he told Reuters. "A feed was available to my computer so I could see if there was anything we needed to take action on."
Afridi noted that since reforms enacted last year, the managing director of the KSE is no longer responsible for market surveillance.
Reuters has seen the consultancy's report and KSE minutes of board meetings where the issue was discussed. The documents are confidential.
The consultancy did not investigate whether the staff had manipulated the market. Instead, it was asked to identify the whistleblowers and authenticate their claims.
Naqvi said he was now investigating whether the staff had profited from the data. His team is expected to issue a report on its findings to the KSE board in two weeks, he said.
The consultancy will also issue another report before March with recommendations for security upgrades of KSE systems, he said.
The KSE did not retain deleted emails and did not log who was accessing emails or trading data, the consultancy's report said, making it hard to find evidence of manipulation.
The report found that staff had apparently been tipped off to the investigation and may have deleted files.
Sidat Hyder Morshed Associates declined to comment.
Minutes of KSE board meetings show that members were concerned by the potential breach.
"Persons privy to such information might be involved in front-running," said Mohammad Sohail, the minutes of a December 12 meeting show.
Front-running is when insiders with privileged knowledge make a trade based on the information ahead of time or simultaneously. It is illegal in Pakistan.
Another board member, Kamal Afsar, expressed concern that the security breach could have contributed to a 2008 stock market crash, which wiped two thirds off the value of the stock market.
"Live market data was visible to selected persons which could have led to market manipulation," he said in a December 9 meeting, according to the minutes. "If the investigation is broadened, it may provide more disclosures."
Afsar and Sohail did not respond to several requests for comment.
The minutes show that many staff had their access to secure systems revoked, outside consultants were brought in to strengthen the security of the KSE systems and the whistleblowers were thanked, not disciplined.
"I do not believe in letting bygones be bygones," said Naqvi. "If people exploited the system, we will find them."
But the Securities and Exchange Commission of Pakistan (SECP) is hobbled by a slow legal system in pursuing harsh penalties for offenders. If the accused contest their fines, cases can drag on for years, it says.
However, critics say the SECP has other powers, including barring fraudsters from trading, which it rarely uses.
Reporting by Katharine Houreld: Editing by Neil Fullick