‘Unprecedented’ scheme sees hackers net up to $100 mn from stolen information

Thirty-two people have now been charged with involvement in a scheme to profit from non-public information in more than 100,000 releases stolen from newswires over a five year period.

Nine people were charged yesterday and five arrested. More than 150,000 press releases from PR Newswire, Business Wire and Marketwired were stolen, according to the justice department, which says trades off the back of this information generated ‘approximately $30 mn in illegal trading profits’ over three years.

A parallel civil complaint by the SEC meanwhile has 32 people charged with fraud, with the commission saying the scheme generated ‘more than $100 mn’ in illegal profits over five years.

During this time the group traded on stolen press releases containing material non-public information about hundreds of companies, including Align Technology, Caterpillar, Hewlett Packard, Home Depot, Panera Bread and Verisign, according to the justice department.

‘This international scheme is unprecedented in terms of the scope of the hacking, the number of traders, the number of securities traded and profits generated,’ says SEC chairman Mary Jo White in the press release.

According to the SEC, the hackers and traders had at times ‘a very narrow window of opportunity to extract and use the allegedly hacked information.’

It cited ‘one particularly dramatic instance’ in May 2013, when ‘the hackers and traders allegedly moved in the 36-minute period between a newswire’s receipt and release of an announcement that a company was revising its earnings and revenue projections downward.’

It states that ‘10 minutes after the company sent the still-confidential release to the newswire, traders began selling short its stock and selling CFDs (contract for difference), realizing $511,000 in profits when the company’s stock price fell following the announcement.’

The hackers and traders used foreign shell companies to share in the illegal trading profits. In the statement issued by the justice department, Diego Rodriguez, FBI assistant director-in-charge called the case a ‘story of a traditional securities fraud scheme with a twist – one that employed a contemporary approach to a conventional crime.’

Jon Levin, securities lawyer and partner at Toronto-based Fasken Martineau, says the case could affect the way companies use news wires in the future. ‘It is a very common practice for public companies to send press releases to news wire services on an embargoed basis with instructions as to when they may be released,’ he notes. 

‘Absent absolute confidence of privacy and confidentiality, this practice would have to change and the timely flow of public disclosure could be adversely affected.’

PR Newswire and Business Wire each issued statements, with the latter saying it had hired its own ‘prominent cyber-security firm’ to conduct forensic testing of its systems as well as ‘working closely’ with the US government.

Talking about the ‘substantial resources’ the newswire service dedicates to security, CEO Cathy Baron Tamraz says in the statement that ‘despite extreme vigilance and commitment, recent events illustrate that no one is immune to the highly sophisticated illegal cyber-intrusions that are plaguing every aspect of our society.’