The U.S. Department of Justice announced indictments in Brooklyn and New Jersey last month of 32 people for fraudulently obtaining inside information and then using that knowledge to make millions in the market, in the “largest scheme of its kind ever prosecuted.” The inside information was taken from purportedly secure public relation company sites and, in some cases, the trades were made a mere minutes after the cyber breaches.
When the news broke earlier this year that bank hackers in another scheme stole millions using malware, an official from one of the banks compared the heist to the one depicted in “Ocean’s Eleven.” This newest (alleged) hacking conspiracy brings to mind another film: “Trading Places.” You may recall that in that film, the protagonists use deception to obtain a confidential crop report, and then use that inside information to manipulate the orange juice futures market and take revenge on the corrupt brothers who run a commodities brokerage house. (See this link for an explanation of the scheme).
Here, the hackers allegedly obtained the inside information from the public relations companies and then went to the market and executed trades. The Department of Justice announced that, over a five year period, the Ukraine-based defendants hacked into the sites of Marketwired L.P., PR Newswire Association LLC (PRN), and Business Wire. The hackers collected information from yet-to-be distributed press releases and shared them with traders who quickly executed transactions before the information became public.
The wide variety of infiltration methods the hackers used is impressive. The New Jersey indictment helpfully lists and explains the different ways the hackers wormed their way into the sites. For example, the hackers allegedly employed “bruting,” which is defined in the indictment as the decrypting of data “by running programs that systematically check all possible passwords until the correct password [is] revealed.” In addition to malware and phishing, the hackers also allegedly used “structured query language” or “SQL,” which is defined by prosecutors as “a computer programing language designed to retrieve and manage data in computer databases.”
Did the PR companies do enough to protect their clients’ financial information? It’s unclear. Although we know from the indictment that some security seems to have been in place since the alleged hackers switched from one source to the other as they lost access due to detection and increased security measures. On the other hand, the fact that the hacking took place over a 5-year period reveals that the security measures may not have always been adequate.
It will be interesting to see how the criminal case shakes out, but also whether the public relations firms will face any civil liability for having inadequate security. Whether investors are actually damaged by insider trading and can bring civil actions as a result is a hot topic in securities law, and perhaps the subject of another blog posting. Still, the scope of this alleged international cyber breach is alarming to anyone who regularly stores confidential information.
Crooked brokerage houses and online dating services: take note.