In 1981, R. Foster Winans was a reporter for the Wall Street Journal, writing the “Heard it on the Street” column. As a diligent reporter, he would find out information about companies, and then publish this information in the Journal.
He wasn’t an “insider” of any company except the company that owned the Journal. When Winans traded on the basis of the information he learned (actually, on the fact that the Journal was going to publish that information) and made profits, the SEC came down on him hard, prosecuting him for “insider trading” despite the fact that he was never a corporate “insider” in any of the companies about which he wrote, and whose stock he traded.
What the case pointed out is the power of information – particularly material non-public information – to make money for those willing to use it. And, now, for those willing to steal it in cyberspace.
It also points out the need for companies to take a more expansive view of the sensitivity of the data they hold – particularly the data held for and about third parties, and to have a robust process for identifying this information, securing it, monitoring attempts to steal it, and responding effectively to such thefts.
Knowledge is Power
The U.S. Justice Department recently unsealed indictments against several Russian, Ukrainian, and American individuals for trading on the basis of information they stole from news bureaus and agencies like MarketWired, BusinessWire, and PR Newswire.
The conspiracy ran from Russia and the Ukraine to Alpharetta and Suwanee, Georgia; Glen Mills, Pennsylvania; Brooklyn, New York; and northern New Jersey. The indictment alleges that these insider trades – which traded in advance of the public release of the information – netted the conspirators more than $100 million.
How it Worked
The hacked news bureaus receive material, non-public information from their clients and customers – typically issuers of stock traded on the open markets. When a company wanted to release its earnings, or announce changes in corporate control, the opening of a new manufacturing facility, or anything of any significance, it would do so by issuing a release using one or more of these business news bureaus.
The releases are typically embargoed by the wire service, to be released at a particular time and date. The release of the information has an impact on the marketplace – news of a merger can cause the price of the acquired company to skyrocket. News of the resignation of a beloved CEO can cause a decline in the stock price.
It’s like the joke about the most important thing in telling a joke – timing! By accessing the newswire’s accounts in advance of the public release, the hackers were able to trade on the basis on the material (not yet public) information, and make millions from unsuspecting folks who did not have access to the information. Well, at least not yet.
So the information held by the newswires had a time-sensitive quality. Once released, the data was not sensitive at all – indeed it was intended to be widely disseminated. But moments before the release, the data was very sensitive – and valuable.
Unfortunately, when deciding when and how to protect data, we often forget the data that we intend to release publicly, or don’t have a full appreciation for the impact on others of the release of that data.
This is not to say the newswires were not protecting the data. They were. In fact, they managed to kick the hacker out, or thwart their efforts multiple times in multiple ways. The hackers just moved on either to a new technique or to another newswire, and then back again. Remember, the good guy has to defend against every attack by every attacker. The bad guy just has to find one way in.
The indictment alleges that the hackers not only got credentials of those with access to the newswire’s secret information, but that they traded these credentials between themselves. The hackers, who stole over 150,000 news releases, executed trades on the basis of about 800 of them yielding $30 million in profit. They stole credentials from the newswires through a combination of phishing attacks, SQL injection attacks, and brute forcing the passwords of users, and by installing reverse shells on the victims’ machines.
You know, the usual ways.
There was even some honor among thieves. The hackers set up a server that contained the purloined press releases. That way, multiple hacker groups could trade on the stolen data in time with the market. More money for everyone!
The Importance of Being Earnest
What’s significant about this attack (other than the $100 million) is that it preys on information that might not have been considered sensitive or significant – or at least which might not have been protected as such. The thing about news releases is that they are meant to be publicized eventually.
A good deal of data held by a company may be sensitive at a particular time, and not sensitive later on. A few years ago, a first generation Apple iPhone was lost by an Apple developer in a bar in northern California. It was a major black eye for the developer, and Apple arranged to have the guy who found the phone and published pictures online criminally prosecuted for misappropriation of lost property.
Of course, a picture of a first gen iPhone is worth nothing these days. Give it another 30 years, and who knows – it could be valuable again. (I’m holding on to my first gen iPhone just in case.)
So we need to protect data not just from a sensitivity standpoint, but from a TIME standpoint as well. And we have a problem with OPD, or Other People’s Data. Most companies are fiduciaries of Other People’s Data.
Sure, we are used to retailers having data about their customers, or hospitals having data about their patients, but companies have inside information about their vendors, suppliers, customers, employees, contractors and others. Law firms and accounting firms have sensitive data about their clients, their clients’ customers, and others.
They have information from which sensitive non-public information may be gleaned. When Apple puts out a job search for someone with experience in geolocation, Wall Street reacts to the possibility of a new geolocation device, product or service in the next product. So HR, personnel offices, and recruiters have inside information useful to hackers.
Who’d ‘a Thunk It?
The other thing pointed out by the insider-trading scheme is the fact that the entity suffering the “breach” – in this case the newswires – is not the same as the entity suffering the “loss.”
In the case of insider trading, the loss is to the issuers – the Abercrombie or Viacom – not the newswire. Indeed, as a practical matter, the loss is to the individual who sold his or her Viacom stock at $45.89 to these Ukrainian hackers just moments before the price shot up to $48.00 on the basis of some wire press release. Opportunity costs. This person may never know that they were the “victim” of insider trading or the ultimate victim of hackers.
All of this points out the need to engage in a comprehensive risk assessment based not just on what kind of computers and software you have, but also on the nature of, and threats to your business operations. What kind of data you have, where is it, and what would happen to you OR YOUR CUSTOMERS if this data were no longer secure, confidential or reliable? Most assessments measure risk based on a technical vulnerability (e.g., SQL injection attack). What’s more important is to assess the business impact of a breach based on a specific attack to a specific data set.
All too often companies say, “Why would hackers want to go after me? I don’t have any data that they would be interested in.” Of course you do. You might not know it yet, but the hackers do.