August 12, 2015

SEC Busts Earnings Release Hackers! 150K Releases Stolen Over 5 Years…

Who said the Ukraine is weak? (Kramer did.) Yesterday, the SEC announced fraud charges against 32 defendants for taking part in a global scheme that involved hacking into news wires to obtain nonpublic information from 150,000 earnings announcements over 5 years (but they only traded on 800 of those 150k). Those charged include two Ukrainian men – Ivan Turchynov and Oleksandr Ieremenko (hope they keep those names for the movie) – who allegedly did the hacking & 30 others who then traded on it, generating more than $100 million in profits. 150,000! 5 years! $100 mil!

This quote from this Washington Post article gives a sense of the brazenness of this scheme:

The hackers, who called the early-accessed filings “fresh stuff,” masked their movements through proxy servers and stolen employee identities, and recruited traders with videos showcasing how swiftly they could steal corporate data before its release. Traders kept “shopping lists” of the releases they wanted from select public companies, many of whom were large Fortune 500 conglomerates with heavy interest in market trading.

Here’s Chair White’s remarks – and here’s an excerpt from the SEC’s complaint (paragraph #68) that confounded me:

For each press release, there is a window of time between when the issuer provides a draft press release to the Newswire Service and when the Newswire Service publishes the release (the “window”). This window varied between a number of minutes and a number of days.

Are companies really giving their earnings releases to the wires days in advance? Obviously, not a good idea! Keep your confidential information under your control for as long as you can!

As an aside, here’s my 1st blog about this type of problem from 2010 – but these initial incidents didn’t appear to involve hacking, just premature “hidden” posting of earnings releases by companies. In these initial cases, companies were posting their releases early – but the URLs weren’t fully hidden. They weren’t linked to from anywhere on the corporate site yet – but they were posted early and bots were able to sleuth them out.

Particularly because – in some cases – the URLs for these releases followed a corporate convention so that even a human could have sleuthed it out by just typing in a specific URL (eg. URL for last earnings release ended in “3rdQ” – so next release would be “4thQ”). I don’t believe there’s been this type of incident recently – the Twitter snafu back in May didn’t seem to involve a URL sniffing bot per this blog

Transcript: “Cybersecurity – Governance Steps You Need to Take Now”

We have posted the transcript for our recent webcast: “Cybersecurity: Governance Steps You Need to Take Now.”

7th Circuit Opens Door to Data Breach Class Actions

Here’s the intro from this Akin Gump blog:

On July 20, 2015, the U.S. Court of Appeals for the 7th Circuit issued an opinion that could dramatically change the class action landscape for companies that are victims of hackers. In Remijas v. Neiman Marcus Gp., the 7th Circuit reversed the district court, ruling that Neiman Marcus (NM) customers whose credit card information was compromised had standing to bring a class action suit against the retailer.

– Broc Romanek