Hackers Busted Selling Press Releases to Traders – How Secure is Your Vendor’s Info Security?   

iStock_000020042572LargeIn light of the rash of data security events in the last few years, your company has invested heavily in upgraded security hardware and software.  In addition, you recently completed a comprehensive security awareness training program for all your employees, reinforcing the importance of data security (in particular, reminding them not to open those dangerous “Phishing” emails that are often a hacker’s entry point into IT systems).  So, you were shocked when you learned that your company’s most recent press release related to an upcoming merger somehow became public knowledge well before you intended to release it.  How did this happen?  Hackers infiltrated your press release vendor’s IT systems, stole your press release (and hundreds of others) and sold that information in the black market to unscrupulous traders who illegally made a bundle on your stock.

Sound like fiction?  Nope.  Authorities have now confirmed that a group of Ukrainian hackers broke into the IT systems of at least three prominent news release companies, PRNewswire Association, Marketwired, and Business Wire, selling stolen press releases to dishonest securities traders who traded on various companies stock.  The scheme, active as recently as just a month ago, reportedly netted the traders between $30 and $100 Million in illegal profits. In one series of trades, hackers and their trading co-conspirators netted $5.7 Million trading on Caterpillar, Panera Bread and Align Technology Stock in 15 days.  Five individuals have been arrested so far.

iStock_000008874022_SmallThe attacks were reportedly going on for years, and the methods of penetrating the systems containing valuable corporate secrets were in some instances, very basic.  One of the techniques the hackers used, for example, was “Phishing”, a technique for duping an unsuspecting employee into opening a legitimate-looking email that then launched malware onto IT systems, enabling hackers to steal data.

This story is a stark reminder that a company’s information security systems are only as strong as their weakest vendor’s systems.  Your IT security may be rock solid, but what about the data security systems and policies of your web developer?  How about the systems of your cloud storage firm? Or that contractor that helped you update your billing system last year…or your outside law firm. You get the idea.  Hackers have learned to target companies and law firms that are aggregators of highly confidential business information and intellectual property.  Why?  Well, that’s where the trade secrets are…and often those third parties’ IT security systems are not as good as they should be.

What Can You Do?  Top Five Ways to Mitigate This Threat

  1. Contract Language.  Agreements with vendors and business associates or partners that handle your confidential information should have good language related to IT security, policy, and best practices.  And, those agreements should hold vendors legally and financially responsible for a breach.
  2. Site Visit.  Check out your vendor’s facility and see for yourself.  (You know, trust …but verify)  Interview their key IT executives and examine their Info Sec policies and procedures.
  3. An Assessment.  For those relationships in which the stakes are extremely high, consider requiring your vendors to have an outside security company perform an IT security assessment of their systems, policies, and awareness training.
  4. Insurance.  Cyber Insurance can help shift some of the risk inherent in these relationships.  Talk to your risk manager.
  5. Need to Know.  Make sure your managers and key employees understand that when sharing sensitive information with outside vendors and partners, they should only share what that partner needs to know, and confidentiality agreements must be in place.