Despite Twitter and Facebook, press releases are still a prime way publicly-traded organizations get their messages to the news media, financial analysts and shareholders. News releases can include pages of details, along with a lot of boilerplate material and paragraphs touting the financial stability of the company and superiority of its products.
But get an early look at a release before it’s published and you could benefit financially. That allegedly is what a group of attackers — six from the United States, three from Ukraine — did according to federal criminal charges laid Tuesday in two U.S. states that claimed the scheme generated approximately $30 million in illegal profits over several years.
The charges allege they hacked into servers of three newswire services — Toronto-based Marketwired L.P., which has operations here and in New York.; PR Newswire Association LLC and Business Wire — to steal 150,000 confidential releases before they were published about companies traded on the Nasdaq and New York Stock Exchanges. Then, with early notice, some of the accused used information in 800 of the releases to buy and sell stocks before the news was publicly released.
A statement from authorities called it “the largest scheme of its kind ever prosecuted.” Hundreds of stocks were traded in the scheme including Hewlett-Packard and VeriSign Inc.
It’s another reminder to CISOs that an organization’s prized jewels can be more than personal information, credit cards and patents.
“The defendants launched a series of sophisticated and relentless cyber attacks” against the companies, prosecutors said in a statement. The U.S. Securities and Exchange Commission (SEC) also laid charges against the nine and other individuals and entities. The accused are described as an “alliance of hackers and securities industry professionals.”
As part of the investigation authorities managed to get access to the communications of some of the accused. In one online chat, the prosecutors’ statement alleges, one accused said he had compromised the log-in credentials of 15 Business Wire employees.
Marketwired is majority owned by OMERS Administration Corporation, the pension fund of Ontario’s municipal employees. The statement from prosecutors doesn’t detail where the hacked servers of the newswire companies were located, but U.S. authorities would only have the power to prosecute crimes in that country.
“The attack was limited to a subset of our U.S. customers,” Jason Maloni, a spokesman for Marketwired, said in an email this morning. “An even smaller number of these releases contained financial or material information. We are notifying all affected customers and providing them with the facts of this incident and all we have done to enhance our system.”
“We found and fixed the issue at the heart of this matter and we are confident that Marketwired is protected by world-class security, monitoring and prevention practices.”
In an interview Maloni wouldn’t detail how attackers breached Marketwired servers, other than to say two years ago the company was alerted and the issue was “found and fixed” then. No Canadian customers were affected, he said.
The 23-count District of New Jersey indictment charges five defendants with wire fraud conspiracy, securities fraud conspiracy, wire fraud, securities fraud, and money laundering conspiracy. Two of the Ukrainians are additionally charged with computer fraud conspiracy, computer fraud, and aggravated identity theft.
The Eastern District of New York indictment charges four defendants with wire fraud conspiracy, securities fraud conspiracy, securities fraud, and money laundering conspiracy.
The release said prosecutors seized 17 bank and brokerage accounts containing more than US$6.5 million of alleged criminal proceeds. The government also took steps to restrain 12 properties, a shopping center located in Pennsylvania, an apartment building located in Georgia, and a houseboat, all worth more than US$5.5 million.