The computer servers of three major newswire companies were allegedly hacked as part of an elaborate illicit stock-trading scheme that resulted in civil charges being filed last week by the Securities and Exchange Commission against 32 defendants. Nine of these persons were also subject to criminal indictments filed in Brooklyn, New York, and Newark, New Jersey, by the US Department of Justice
According to the SEC and the DoJ, Ivan Turchynov and Oleksandr Ieremendo, both from the Ukraine, masterminded the scheme by hacking into the newswire companies’ servers from 2010 through 2015 to steal press releases regarding publicly traded companies before they were made public. Many of these stolen releases contained quarterly and annual earning information. The hackers stole more than 150,000 press releases, claimed the DoJ.
The two hackers worked with a network of traders in the US and abroad who paid the hackers for the stolen information in return for a flat fee or percentage of any trading profits. The SEC said the defendants generated over US $100 million in profits trading on the illicit information.
The newswire companies were Marketwired, L.P., PR Newswire Association LLC and Business Wire. According to the SEC’s complaint in this matter,
The hacker defendants used deceptive means to gain unauthorized access to the Newswire Services’ computer systems, using tactics such as: (a) employing stolen username/password information of authorized users to pose as authorized users; (b) deploying malicious computer code designed to delete evidence of the computer attacks; (c) concealing the identity and location of the computers used to access the Newswire Services’ computers; and (d) using back-door access-modules.
The SEC seeks an injunction and asset freeze against the defendants, as well as damages and disgorgement. The DoJ also seeks penalties from and imprisonment for each defendant.
Compliance Weeds: As I have written before, there are only two types of financial services firms: those that have experienced cybersecurity breaches and addressed them, and those that have experienced cybersecurity breaches and did not know. By now all financial service firms—no matter what size—should have assessed or be in the process of assessing the scope of their data (e.g., customer information, proprietary), potential cybersecurity risk, protective measures in place, consequences of a breach and cybersecurity governance (e.g., how would they react if a breach occurred) in order to evaluate their cybersecurity needs and develop a robust protective program. Engaging an outside consultant to try to penetrate a firm’s system is also advisable, as is ensuring that each third-party service provider that accesses a firm’s data has its own, robust cybersecurity program. (Click here for a detailed discussion of cybersecurity and a comprehensive checklist of practical measures in the June 24, 2015 Advisory “Cyber-Attacks: Threats, Regulatory Reaction and Practical Proactive Measures to Help Avoid Risks” by Katten Muchin Rosenman LLP.)