On August 11, 2015, federal prosecutors in New York and New Jersey filed criminal charges against two alleged hackers and seven other individuals who allegedly traded securities based upon stolen information. The Securities and Exchange Commission filed a related civil complaint against those same nine individuals, as well as 23 other individuals and corporate entities.
The charges stem from allegations that the hackers infiltrated the computer networks of PRNewswire, Marketwired, and Business Wire over a five-year period to steal more than 150,000 news releases posted by publicly traded companies before the information was made public. The attackers allegedly had access to corporate information from hundreds of companies, including Fortune 500 companies such as Bank of American Corp., Boeing Co., Honeywell International, Inc., Hewlett-Packard Co., Clorox Co., Deere & Co., among others. These stolen news releases allowed rogue traders to trade on news before it officially hit the wires. According to the SEC, the individuals reaped close to $100 million in illegal profits.
There are at least two interesting takeaways from this situation:
First, while we normally think of hackers as trying to steal bank account information or other personally-identifiable information such as Social Security numbers, this situation shows that hackers can obtain access to all sorts of sensitive information and attempt to profit from it. Accordingly, companies need to be aware that it is not just their customers’ personally-identifiable information (information that the law is increasingly requiring companies to protect) that may be targeted. Hackers are broadening the scope of their cyber attacks to include other sensitive and potentially valuable information.
Second, while the hackers in this situation also used more complex cyber attacks to gain access to the press releases—including the insertion of malicious programming code into applications or websites used by the companies—to gain access to the databases of the corporate news releases, the hackers often penetrated the newswire companies using very basic cyber attack techniques. For instance, the hackers used one tactic known as spearphishing, where an email that appears to be from a legitimate source was sent to newswire employees to gain unauthorized access to the companies’ computer systems. If an employee fell for the ruse, the hackers were able to download the news releases and put them on an overseas server. Thus, companies must be diligent in the training of their employees to protect the company’s computer systems against even the most “basic” of cyber attacks.
- Cybersecurity and Privacy Law
- Privacy Laws
- California Consumer Privacy Act
- Cybersecurity Regulation
- Cyber Insurance
- Data Breach
- General Data Protection Regulation
- Class Action Litigation
- Mergers & Acquisitions
- Incident Response Plan
- Information Governance
- Corporate Law
- Federal Trade Commission
- Seventh Circuit
- Department of Justice
- GDPR Compliance: What is Privacy Shield 2.0?
- Connecticut's Data Privacy Law
- The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA)
- The Utah Consumer Privacy Act
- The Colorado Privacy Act
- The Virginia Consumer Data Protection Act
- State Data Privacy Law Series
- TransUnion LLC v. Ramirez and the Impact on Class Action Litigation
- 2023: The Year of the CPRA and CDPA - Virginia Joins California in Passing Comprehensive Privacy Legislation
- Cybersecurity Remains a Top Concern