Insights

The Nasdaq Hack: How Russian Hackers Gained Entry to the Stock Market

July 22, 2014

Cyber Liability

Last week, Bloomberg BusinessWeek released an exposé on a 2010 security intrusion at The Nasdaq Stock Market, now thought to have been perpetrated by Russian state-sponsored hackers looking to gain trade secrets that would help transform the Russian stock exchanges into a global financial hub.  At the time, Nasdaq reported that the attack was limited to its Directors Desk portal, a web application used by corporate directors to share confidential company information, and that they had “no information that anything was taken”.  According to BusinessWeek, this statement would be true only because Nasdaq lacked the logs and monitoring systems to even know what had been taken.  “Basic records of the daily activity occurring on the company’s servers, which would have helped investigators trace the hackers’ movements, were almost nonexistent…There were indications that a large cache of data was stolen, though proof was scarce, and it was hard to see what was spirited out”.

This article highlights several truths of the state of cyber security:  (1) A significant majority of network security intrusions are not detected by the target, but by a third party (in this case, the FBI); (2) hackers can remain undetected inside a company’s networks for months, siphoning off information and/or planning a subsequent attack or theft; and (3) even companies and industries that we would expect to have a sophisticated approach to cyber security can be victims.  “The team was surprised at how vulnerable a sophisticated operation such as Nasdaq could be. ‘Our assumption was that, generally speaking, the financial sector had its act together much more,’ says Christopher Finan, a former cybersecurity expert in the Obama White House.”

As I blogged about recently, the U.S government has identified cyber security as a major risk to U.S. interests, and in particular to critical infrastructure such as our banking and financial systems.  This story highlights the challenges in coordinating among the multiple government agencies with expertise in cyber security, and the reluctance of private sector companies to cooperate and share information on their own cyber vulnerabilities.

Was this post helpful?

See all articles by Lauri Floresca

All views expressed in this article are the author’s own and do not necessarily represent the position of Woodruff-Sawyer & Co.

Lauri Floresca

Senior Vice President, Cyber Liability

Contributor, Cyber Liability

Lauri is a widely respected expert and frequent speaker on the issues of directors & officers liability and cyber liability. She has developed her expertise surrounding complex privacy breach claims and innovative Cyber Liability solutions, and has extensive experience placing D&O programs for public companies of all sizes, including NASDAQ 100 and Fortune 500 companies.

415.402.6523

LinkedIn

Lauri Floresca

Senior Vice President, Cyber Liability

Contributor, Cyber Liability

Lauri is a widely respected expert and frequent speaker on the issues of directors & officers liability and cyber liability. She has developed her expertise surrounding complex privacy breach claims and innovative Cyber Liability solutions, and has extensive experience placing D&O programs for public companies of all sizes, including NASDAQ 100 and Fortune 500 companies.

415.402.6523

LinkedIn