A Manhattan federal court charged the 3 men this week with conspiracy, insider trading, wire fraud and computer intrusion in a case that mixed cyber-crime with securities fraud.
How They Did It
It has been reported that the trio aged 26, 30 and 50 hacked 2 U.S. law firms, specifically targeting the email accounts of partners working on mergers and acquisitions. The hacking trio used the law firms’ employee's credentials to install malware on the firm's servers in order to access emails from lawyers.
The hackers were searching for commercially sensitive information that would give them an advantage in the second level of the fraud which was to trade on company stocks based on the insider information they had gained about mergers and acquisitions.
Another U.S. Securities and Exchange Commission civil lawsuit has shown that the men were able to avoid suspicion by listing themselves in brokerage records as working at information technology companies.
Law Firms Not Yet Officially Identified
The 2 law firms have not yet been identified, although speculation in a technology news post on the Reuters website suggests that New York-based Cravath, Swaine & Moore LLP may be a likely candidate. The speculation appears to be based on news that the bank represented Pitney Bowes in its 2015 acquisition of Borderfree Inc, which one of the mergers in question in the recent case. It has also come to light that in March 2015 Cravath was reported to have discovered what was described as a "limited breach" of its systems.
Accused of Making Money From Intel’s Altera Inc Acquisition
U.S. prosecutors are reported to have accused the trio of defendants of making large amounts of money by trading using information that they allegedly stole from the law firm that represented Intel on its acquisition of Altera Inc in 2015.
It is reported that the men bought more than 200,000 shares in early February 2015, and then sold them when the stock price peaked with the release of the acquisition, allegedly making the trio around $1.4 million in profit. There is speculation on the Reuters website that this law firm that was hacked in this case may have been Weil, Gotshal & Manges LLP, but this has not been confirmed.
What Does This Mean For Your Business?
It seems that governments, banks and now law firms can be hacked in sophisticated multi-level crimes, most of which result in fraud. This attack has been described as a wake-up call for law firms globally, although it also serves as a reminder to all businesses to prioritise cyber and data security. Businesses have a legal responsibility to protect client data and should take what action they can to protect themselves and their clients and to maintain confidentiality and client trust.
Having a robust information security management system (ISMS) with cyber security controls is now an important requirement.
Businesses should now take proactive steps to protect themselves and their clients. Clients need to be able to trust that their information is confidential and is well protected. Having a strong information security management system (ISMS) with cyber security controls is now an important requirement. Disaster Recovery and Business Continuity Plans are now also essential.
Attacks can occur for multiple reasons such as system vulnerabilities, human error, or even employees / ex-employees with malicious intent. Businesses should, therefore, take a holistic approach to information security that covers the people, the processes, and the technology.