A group of hackers were recently charged with stealing not-yet-public corporate news releases that covered earnings reports, personnel changes and other material information, then traded on it to the tune of $100 million dollars in illegal proceeds. The largest crime of its kind ever prosecuted was orchestrated by a team of cybercriminals from the U.S., Ukraine and Europe.
This story is a prime example of the expansion and increased sophistication of financial cybercrime, a true network effect. The hackers were opportunistic – they didn’t directly attack the affected companies, but exploited the vulnerability of the firms’ newswire partners. It is a cautionary tale for banks and financial institutions that share sensitive information with a network of vendors that includes professional service firms, regulators, and business partners. As the risk of security breaches continues to grow, and the regulatory environment becomes more stringent, it is imperative for financial firms of all stripes to take steps to mitigate risk in their vendor networks.
It is standard operating procedure for employees of banks, insurance companies and securities firms to share sensitive – often regulated – information outside their organizations. In the course of their work, they share market-moving data beyond their firewall: think about the information sent to colleagues and outside parties while working on regulatory exams, filings, compliance programs, financial crimes and other highly sensitive material. Add to that protected customer information and you have a perfect storm for an impactful data breach. Matthew L. Schwartz, a former federal prosecutor in New York, was quoted in the Associated Press coverage of the $100 million hack, saying, “The lesson in this is your information is only as secure as the people you share it with. If you share that information with a news service, a PR firm or even a law firm, then you need to make sure that it’s secure.”continue reading »