Privileged information is no longer the preserve of the privileged
The US authorities have arrested nine people and accused a total of 32, among them several Ukrainian nationals, of running an insider trading network based on non-authorized access to the servers of press release providers such as PRNewswire, Marketwired and Business Wire using a range of techniques such as SQL injection or brute force attacks.
A lot of companies use these kinds of services to send out press releases and statements about their financial results or containing other information that could affect their share value. It involves split-second timing often, as Twitter, among others, has learned to its cost.
The network worked like a fully functioning company: it obtained information from hacking into the servers of these publications — in some cases we are talking about sustained attacks over the course of five years, and provided its clients with a service in return for a percentage based on the profitability of the operation. The network even provided video tutorials, access to restricted servers, a system to audit performance, and even customer service. In total, more than 150,000 press notes were used to make transactions on the markets before they were made public, generating more than $100 million in illegal profits.
The operation illustrates a completely new way of understanding the use of privileged information: traditionally, it has been a lone individual in an organization that might have access to decisions that could have an impact on share price or competitors.
At a higher level, there might be people in a position to obtain this kind of information from different organizations, somebody working in an investment bank, an analyst, or a pr company, able to leak news before it was made public. But now we are talking about unauthorized, direct access to these information repositories, and with plenty of incentive, and that could lead to problems on an unprecedented scale.
The majority of crimes based on privileged information are identified thanks to algorithms used by the SEC: any pattern showing a sudden increase in transactions by a company in the moments prior to the release of important information can set alarm bells ringing, putting a particular investor under the spotlight, and that may lead to a visit from the police to explain.
These types of operation were the exception usually, which is why those involved would try to make as much money as possible, thus potentially alerting the authorities. But the activities detailed above involve investors who believe that they are going to have a regular supply of this kind of information, and therefore can limit their operations to relatively small amounts that do not attract any attention, and that should therefore be sustainable over time. Similarly, because so many investors are involved, it is hard to see any pattern.
This creates a huge headache for those tasked with providing security for these kinds of services: evidence that there are huge incentives to try to access their servers, coupled with the need to create security processes as an essential part of the business. Privileged information was once the preserve of an elite, but it is no longer necessary to play golf with important people: technology has leveled the playing field.
(En español, aquí)
