In a graphic demonstration of what the speed of information can mean to public markets, the Securities and Exchange Commission and the US Department of Justice have indicted nine people with crimes related to a hack of the internal networks of the three most popular press release services.
The attackers allegedly gained access to the networks and turned them into crystal balls of sorts, identifying material information before its release to the public, and passing that information along to traders, who would then reciprocate with either flat fee or a percentage of profits they made trading on the advance information.
The SEC and DOJ seized securities accounts and property totaling $12M connected to the nine individuals indicted. The criminal suit alleges that they profited up to $30 million from the scheme, and a separate civil suit by the SEC seeks damages of $100 million.
The breached wire services pledge to have hired “prominent cybersecurity firm(s)” to learn about the attacks and patch the breach, but the statements stop short of assuring that the original breach has been remedied and that attackers have no residual access. The uncomfortable truth is that, short of shutting down their network and re-building it, there is no way for them to be sure.
Only five of the nine indicted are currently in custody. Four of the named parties are residents of the Ukraine and remain at large. They are alleged to have breached the networks through SQL injectionattacks, a fairly sophisticated technique that fooled the network’s servers into dumping data to the hackers in its normal course of operation. This operation continued on for five years, and progressed to the point that operators boasted about it in online chats, and traders provided shopping lists of expected news releases for hackers to pluck off of the release cue.
Get our next blog post in your email inbox?
The DOJ and the SEC are careful not to blame the wires, and note that they cooperated with the investigation, but the reputation damage here is vast. Timely and simultaneous disclosure of material events is what press wires are for, and the careful handling of sensitive information is an essential part of their service. Naturally, the information is only as secure as the network and the more valuable it is, the more likely it is to become a target.
The total damage to the business of the press wires is similarly incalculable. Their saving grace may well be that all three of the biggest ones were hit by the group, so nobody can claim superior security. But the liability potential from the early disclosure of so many press releases is astronomical. The Times reports that more than 150,000 unreleased news releases were exposed to the hackers over 5 years. It’s also unclear if this is the only group of traders to which the hackers were selling press release previews.
Unquestionably, all of that material was stored on a breached network that may or may not have since been repaired.