On August 11, 2015, federal prosecutors in New York and New Jersey filed criminal charges against two alleged hackers and seven other individuals who allegedly traded securities based upon stolen information. The Securities and Exchange Commission filed a related civil complaint against those same nine individuals, as well as 23 other individuals and corporate entities.
The charges stem from allegations that the hackers infiltrated the computer networks of PRNewswire, Marketwired, and Business Wire over a five-year period to steal more than 150,000 news releases posted by publicly traded companies before the information was made public. The attackers allegedly had access to corporate information from hundreds of companies, including Fortune 500 companies such as Bank of American Corp., Boeing Co., Honeywell International, Inc., Hewlett-Packard Co., Clorox Co., Deere & Co., among others. These stolen news releases allowed rogue traders to trade on news before it officially hit the wires. According to the SEC, the individuals reaped close to $100 million in illegal profits.
There are at least two interesting takeaways from this situation:
First, while we normally think of hackers as trying to steal bank account information or other personally-identifiable information such as Social Security numbers, this situation shows that hackers can obtain access to all sorts of sensitive information and attempt to profit from it. Accordingly, companies need to be aware that it is not just their customers’ personally-identifiable information (information that the law is increasingly requiring companies to protect) that may be targeted. Hackers are broadening the scope of their cyber attacks to include other sensitive and potentially valuable information.
Second, while the hackers in this situation also used more complex cyber attacks to gain access to the press releases—including the insertion of malicious programming code into applications or websites used by the companies—to gain access to the databases of the corporate news releases, the hackers often penetrated the newswire companies using very basic cyber attack techniques. For instance, the hackers used one tactic known as spearphishing, where an email that appears to be from a legitimate source was sent to newswire employees to gain unauthorized access to the companies’ computer systems. If an employee fell for the ruse, the hackers were able to download the news releases and put them on an overseas server. Thus, companies must be diligent in the training of their employees to protect the company’s computer systems against even the most “basic” of cyber attacks.
- Cybersecurity and Privacy Law
- Cybersecurity Regulation
- Cyber Insurance
- Privacy Laws
- California Consumer Privacy Act
- Data Breach
- General Data Protection Regulation
- Class Action Litigation
- Mergers & Acquisitions
- Incident Response Plan
- Information Governance
- Corporate Law
- Federal Trade Commission
- Seventh Circuit
- Department of Justice
- Data Security in the Remote-Work Environment – 10 Reminders Regarding Data Security and Cyber Attacks
- Stay Safe While “Zooming”
- Revisions to Proposed CCPA Regulations Released
- Happy New Year from the CCPA
- Can’t We All Get Along in the Cyber Sandbox?
- California's New Privacy Law is Coming - Are You Ready?
- Gearing up for National Cybersecurity Awareness Month: KMK Hosts Third Annual Cybersecurity & Privacy Seminar
- Ohio Data Protection Act - Safe Harbor for Businesses in Ohio
- Ohio’s Data Protection Act: What You Need to Know
- September 2018 Was a Busy Month for Data Privacy