The SEC announced on Tuesday charges against 32 defendants involved in an unprecedented illicit scheme deployed in the US and overseas. The scheme involved hacking websites of newswire services and stealing unpublished information about numerous public companies in order to enter into illicit trades that resulted in record profits.

The case “illustrates the risks posed for our global markets by today’s sophisticated hackers,” SEC chief Mary Jo White said. “Today’s international case is unprecedented in terms of the scope of the hacking at issue, the number of traders involved, the number of securities unlawfully traded and the amount of profits generated.”

The international scheme involves players in Ukraine, Russia, Malta, Cyprus, France and the United States. Two Ukrainian hackers used advanced techniques including phishing (emails with links sent to employees that, once clicked, give access to a firm’s network) to access press websites and extract information about corporate earnings before it went public, and then relay the information to traders who allegedly paid the hackers a flat fee or a percentage of the profits from trades executed based on stolen material non-public information. As a result of hacking the computer servers of the news agencies, the trader defendants gained an unfair trading advantage over other market participants because they knew the content of the press releases before that information was publicly announced. The scheme operated for over 5 years and generated profits over $100 million. The defendants allegedly stole more than 100,000 press releases before they were publicly issued.

Our Perspective

The case shows the novel applications of cyber-crime and the importance of asserting rigorous cyber-controls. It also shows the significance of protecting information you relay to third parties and the critical importance of vendor cyber-due diligence—your data is only as safe as the weakest link of the chain. ie vendor that holds it. Numerous publicly-traded companies including Panera Bread Co and Radio Shack uploaded information about their earnings to the hacked websites which thus became repositories of critical data.

The SEC charges can be found here:

http://www.sec.gov/news/pressrelease/2015-163.html

The U.S. Attorney’s Office for the District of New Jersey and the U.S. Attorney’s Office for the Eastern District of New York announced parallel criminal charges against several of the defendants in the SEC’s action.