The U.S. Securities and Exchange Commission (SEC) has charged 32 people with involvement in a scheme to hack into the newswire services Marketwired, PR Newswire and Business Wire in order to steal hundreds of corporate earnings announcements before they were publicly released.
Two Ukrainian men, Ivan Turchynov and Oleksandr Ieremenko, have been charged with hacking into the news services between February 2010 and August 2015. Thirty others in the U.S., Russia, Ukraine, Malta, Cyprus and France have been charged with trading on the stolen information.
“This international scheme is unprecedented in terms of the scope of the hacking, the number of traders, the number of securities traded and profits generated,” SEC chair Mary Jo White said in a statement. “These hackers and traders are charged with reaping more than $100 million in illicit profits by stealing nonpublic information and trading based on that information.”
The U.S. Attorney’s Offices for the District of New Jersey and for the Eastern District of New York also announced criminal charges against Turchynov and Ieremenko, as well as against traders Arkadiy Dubovoy, Igor Dubovoy, Pavel Dubovoy, Vitaly Korchevsky, Vladislav Khalupsky, Aleksandr Garkusha, and Leonid Momotok. Five have been arrested, while the other four, including Turchynov and Ieremenko, remain at large.
“This cyber hacking scheme is one of the most intricate and sophisticated trading rings that we have ever seen, spanning the globe and involving dozens of individuals and entities,” Andrew Ceresney, director of the SEC’s Division of Enforcement, said in a statement.
On August 11, 2015, the U.S. government seized 17 bank and brokerage accounts that held more than $6.5 million in alleged criminal proceeds, as well as 12 properties worth more than $5.5 million.
VASCO Data Security vice president John Gunn told eSecurity Planet by email that the announcement points to a new and different type of cyber security domain. “Cash, credit card numbers, and Social Security numbers have high value to all hackers, so they are well protected, especially by banks who spend a fortune on protecting their assets,” he said. “But a press release has essentially zero value to anyone except an extremely small group of hackers who can exploit the information in secondary markets.”
“This creates a dangerous scenario where zero-value assets that are protected by minimal security come under attack from hackers who have the know-how to convert the asset into significant monetary gain,” Gunn added. “These hacker mash-ups will become more frequent as enabling technologies make criminal collaboration easier.”
Tripwire director of IT security and risk strategy Tim Erlin said by email that the breaches are a reminder of the potential risks presented by a company’s supply chain. “This is a case where sensitive information was transferred to a third party, and while the sensitivity was time limited, the data was clearly at risk,” he said. “While public companies may take the time to revisit their PR processes with an eye towards security, they should look at other areas where data is shared with third parties that might be exploited.”
A recent eSecurity Planet article offered advice on how to mitigate security risks from third-party service providers.