The U.S. Securities and Exchange Commission is cracking down on 32 people who allegedly devised a scheme to profit from hacked nonpublic information about corporate earnings announcements. The suspects include a duo of Ukrainian men charged with hacking into PR Newswire, Business Wire and Marketwired newswire services to steal information, as well as 30 others outside the U.S. who traded against it.
“This international scheme is unprecedented in terms of the scope of the hacking, the number of traders, the number of securities traded and profits generated,” said Securities and Exchange Commission Chair Mary Jo White. “These hackers and traders are charged with reaping more than $100 million in illicit profits by stealing nonpublic information and trading based on that information. That deception ends today as we have exposed their fraudulent scheme and frozen their assets.”
Fascinating New Domain
This is a fascinating new domain in the field of defending against attacks, John Gunn, vice president of Vasco Data Security, told us via a spokesperson. Cash, credit card numbers, and Social Security numbers have high value to all hackers, so they are well protected, especially by banks who spend fortunes protecting their assets, he said. Then he offered a “but.”
“But a press release has essentially zero value to anyone except an extremely small group of hackers who can exploit the information in secondary markets,” Gunn said. “This creates a dangerous scenario where zero-value assets that are protected by minimal security come under attack from hackers who have the know-how to convert the asset into significant monetary gain. These hacker mash-ups will become more frequent as enabling technologies make criminal collaboration easier.”
John Humphries, CMO and co-founder of managed security firm Proficio, offered a stern warning in the wake of the breach. He told us if you have confidential information that can be monetized, assume you are being attacked.
“What's next? Pending drug approvals by the FDA, court opinions, rating agency analysis? While the attacks on Marketwired and others were determined and targeted, none of the techniques should surprise a well-run security team,” Humphries said. “They underscore the need for constant monitoring by either an internal security operations team or a SOC-as-a-service provider."
Greater Perceived Risk
The experts over at advanced threat detection firm Tripwire are keeping a close eye on this breach and offer some helpful insight. Tim Erlin, director of IT security and risk strategy at the firm, told us companies need to be aware of the risks their supply chains present to their businesses.
“This is a case where sensitive information was transferred to a third party, and while the sensitivity was time limited, the data was clearly at risk,” Erlin said. “While public companies may take the time to revisit their PR processes with an eye towards security, they should look at other areas where data is shared with third parties that might be exploited.”
Erlin noted that the U.S. government took more than two years to make arrests in this case. While that may seem like a long time, he said that kind of patience and persistence is the best weapon that federal agents have in a tough fight against sophisticated criminals.
Erlin’s colleague Ken Westin, a senior security analyst, offered a matter-of-fact analysis with one simple conclusion: Data becomes a target when it has value. Many would wonder why hackers would want access to this type of information, but many forget that hacking is a business, a big business, he said.
“Particularly as we have seen increased collaboration amongst hackers and white collar criminals, you have a convergence of technical skills with knowledge of finance and markets,” Westin said. “PR is not the only target, as law firms and manufacturing are also sources of information that can be of value to those with knowledge of the markets and willing to take the necessary risks.”
His bottom line: Getting access to this type of information before anyone else about publicly traded companies, including earnings reports, patent status, manufacturing yields and other intellectual and proprietary information, can give an investor an edge in the markets, with potentially large gains and minimal perceived risk.