“Everybody should want to make sure that we have the cyber tools necessary to investigate cyber crimes, and to be prepared to defend against them and bring people to justice who commit it.” — Attorney General Janet Reno
Whenever crisis hits, the crisis takes the spotlight in the news media. I would like to update you on another major crime that will not get the coverage it deserves.
Federal indictments were issued early last week against three men who are allegedly responsible for the cybercrime of hacking into the financial and customer information of 12 major businesses and financial institutions, including J.P. Morgan Chase. The defendants, two Israeli citizens and one American, are accused of conceiving and operating a years-long scheme to steal personal information from customers of the breached companies. Among the charges are computer hacking, wire fraud and securities fraud.
While they didn’t steal any actual funds, they did steal information, which as Gordon Gekko wisely prophesied in “Wall Street,” is the “most valuable commodity.” That information was used to influence stocks manipulation in the small cap markets and easily could have impacted 401k plans.
The defendants used the customer information stolen to carry out a stock-manipulation scheme. The men would first artificially inflate stock prices by executing prearranged trades that caused the stock’s price to rise by small amounts. Then, they sent emails to customers whose information they had stolen to trick them into buying the stocks.
The defendants would then sell their shares and make a profit.
This is a variation on the “pump and dump” scheme.
The defendants are accused of violating Title 18, United States Code, Sections 1030 (a) (2) (A) and 1030 (a) (2) (C).
intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n)  of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
information from any protected computer;
There are communiques noted in the indictment that can likely prove that these guys knew exactly what they were doing, how illegal it was, and how they tried to get away with it anyway.
The news of the data breach broke last year and while J.P. Morgan is Victim 1 in the indictment, it’s believed other names on the list include Dow Jones and E*Trade.
With an estimated 83 to 100 million customers’ information accessed — including 7 million small businesses — prosecutors called this, “the largest theft of customer data from a U.S. financial institution in history. There is a solid chance you know at least one person whose information was used.
Those email you get claiming a stock is “hot hot hot” – that’s the pump. If you traded the stock, you had the stock “dumped” on you.
How to Effectively Sweep and Prepare
Last week, I discussed the consequences of false business tweets, how you should avoid making them and how you can anticipate and react to social media misinformation.
Taking that a step further, there are some ways to prepare for a data breach:
Talk to Your Web Developers. Have they been keeping copies of your site’s code? You may want to establish a real-time monitoring and backup system or consider cloud service. Take this seriously and spend the money — your business, and your employees’ and customers’ information are at stake. Have the developers create a protocol about what to do in case of a breach, which, according to the Wall Street Journal, should include training employees and not shutting down the computer, so that evidence can be gathered.
Check for Spam. We all get it. But if the same message is reaching everyone in your company simultaneously, it’s worth investigating and possibly reporting, especially if it asks for password information. Whether it’s a South African prince asking for a wire transfer or a conspicuous-looking email address that uses a financial institution in its address (i.e. john@JPbank.com), it can’t hurt to report it, or at least ask the bank if it’s legit.
Add Breach Insurance to your coverage. It can be expensive, but not having it can be even costlier. It became all the rage in 2014 following Target’s hack. According to USA Today, “Every stolen record costs on average $188 to make whole, a survey by the Ponemon Institute found.” So 1,000 of your customers’ information could, minimally, cost $188,000 if breached. Your general business liability insurance may not cover this critical detail.
We’ve explored wire fraud and cybercrime a few times since the summer, and while these instances are similar, they are not identical. There are people who’d rather steal and cheat employees and businesses out of their money than work for it.
Cybercrime isn’t going away — it’s evolving.
I’m sure there’s another group of people out there who can see where this trio made some mistakes and will try to succeed where predecessors failed. Assume they’re out there and be prepared for them.
Talk to us about the best ways to protect your company’s cyber presence and information.