May 6, 2015

Earnings Releases: The True Story Behind Twitter’s Leak

In this blog, Q4’s Darrell Heaps does a great job explaining what really happened last week with Twitter’s leaked earnings release (also see this article where Selerity explains how they figured out Twitter’s leak). Here’s an excerpt:

Following Twitter’s earnings leak this week there has been a huge amount of speculation about what happened. Numerous media outlets and blogs speculated (and others) that it was a URL sniffing bot that guessed the filename of the earnings release.

It’s not surprising that they went this route, because this has happened before (4 in 2011). Yes, there have been URL sniffing breaches before. Yes, there are bots out on the web guessing URLs and trying to download documents. However, any reputable IR website vendor protects against this, including Nasdaq.

The truth is that this was not URL sniffing, this was human error. According to Nasdaq’s statement: “Yesterday at 3:07 pm EDT, inadvertently posted Twitter’s (TWTR) earnings release prematurely on its investor relations website. The posting was caused by an operational issue that exposed the release on Twitter’s IR website for approximately 45 seconds. During those seconds the site was scraped by a third party that publicly disseminated the earnings information….”

It was simply that someone posted the PDF 1 hour early by mistake. (at 3:07pm and 57 seconds exactly). The person quickly realized the mistake and pulled the document down within 45 seconds. My guess is they thought they moved quickly enough….but no.

Darrell’s key take-aways are:

1. Bots are everywhere and they will find your mistake and publish it on Twitter.

2. Your Investors are using Twitter and will react instantly. 80% investors now using social.

3. Documents on IR websites have to be secure, this is table stakes for IR website vendors. Although this isn’t what happened to Twitter.

4. Disclosure controls and procedures both at your IR website vendor and within your own company are paramount in making sure sensitive information is handled correctly. This is what happened to Twitter.

5. There is no silver bullet. Web technology such as bots, sniffers, Twitter, etc. are all evolving quickly. You need to understand these changes and evolve how your firm and your partners handle sensitive information. This is a moving target.

Cybersecurity: DOJ Issues Best Practices Guidance

Last week, the DOJ released guidance entitled “Best Practices for Victim Response and Reporting of Cyber Incidents.” As noted in these memos, the guidance outlines steps companies should take before, during, and after an incident, and includes a summary checklist. The guidance also states the DOJ’s positions on the legal permissibility of a number of monitoring techniques and the impermissibility of many forms of so-called “hacking back.”

Keeping Confidential Information Safe: Beware of “Slur”

Many of us are scared beyond belief over the spate of crippling cybersecurity breaches over the past few years. But the risk of leaks from the inside looms as large as ever. That’s why I was sad to see the launch of a new website – Slur – which is an open source, decentralized and anonymous marketplace for the selling of secret information in exchange for bitcoin. Hopefully some regulators will check into this site and ensure that laws aren’t being broken…

– Broc Romanek