The mounting tales of corporate data breaches tend to follow a familiar pattern.
A major U.S. or multinational company—often a retailer—reveals that hackers infiltrated its systems and absconded with the sensitive data of an eye-popping number of customers. Everyone who might have been affected gets a new credit card. That means resubmitting card information to an inordinate number of websites and apps and automatic payment plans. Probably time to check your credit report, too.
If you’re lucky, another vendor won’t get hacked for at least a few months, preventing you from going through the same rigmarole more than a couple times a year.
The U.S. Securities and Exchange Commission (SEC) maintains databases with the equivalent of birthdays and social security numbers for registered companies. It seems inevitable that the Wall Street watchdog would come under assault from hackers. Only instead of using that data to steal identities, the goal would be to ascertain information about companies and set up favorable trades.
U.S. authorities claim Ukrainian hackers and a handful of securities traders did just that in 2016. Last week, the SEC and Department of Justice announced civil and criminal charges in parallel actions against a total of 10 defendants in an alleged scheme to hack the commission’s EDGAR filing system and steal confidential information for trading.
“International computer hacking schemes like the one we charged today pose an ever-present risk to organizations that possess valuable information,” said Stephanie Avakian, co-director of the SEC’s enforcement division. “Today’s action shows the SEC’s commitment and ability to unravel these schemes and identify the perpetrators even when they operate from outside our borders.”
According to authorities, Oleksandr Leremenko, 26, and Artem Radchenko, 27, of Ukraine used a variety of cyberattacks to gain entry to EDGAR. Once inside the SEC’s system, they could allegedly access registered companies’ test filings of required disclosures with the SEC, including earnings reports. (Because test filings sometimes mirror final filings, traders could use them to stake out financial positions on companies based on information yet to be made available to the public.)
The SEC claims individuals who received the stolen information used it for trades prior to more than 150 earnings releases during a five-month period in 2016.
Illustrating the speed with which hackers and traders can work in concert to exploit stolen information, the DOJ outlined how the scheme allegedly worked in an example from May of 2016:
- The defendants copied a test filing of an unnamed public company’s quarterly earnings report to a server in Lithuania six minutes after it was uploaded to EDGAR.
- Four minutes later, the DOJ says, a conspirator began buying shares of the company’s stock.
- In a 17-minute window, the conspirator accumulated $2.4 million worth of the company’s stock.
- Thirty minutes after the test filing was uploaded to EDGAR, the company announced to the public in its actual earnings release that it was expecting to deliver record earnings for the year.
- Within a day, the conspirator sold the previous day’s acquired stake for a total profit of nearly $300,000.
No word yet from the SEC regarding how many of its passwords had to be changed.