In what is thought to be the first case of its kind, the Securitites and Exchange Commission (SEC) has contacted multiple US-listed companies asking them for details about recent email data breaches which have been linked to insider trading.
People familiar with the matter told Reuters that at least eight firms have been asked by the regulator to provide more information on the incidents, in what former SEC head of internet enforcement John Reed Stark described as an “absolute first.”
“The SEC is interested because failures in cybersecurity have prompted a dangerous, new method of unlawful insider trading,” he told the newswire.
The investigation is thought to have been precipitated by a FireEye report from December which detailed the work of FIN4, a sophisticated cybercrime group which is said to have tried to hack the emails of over 100 firms using spear phishing-like techniques.
“Unlike nation-state advanced threat groups originating from China or Eastern Europe tracked by FireEye, FIN4 does not utilize malware, and instead relies heavily on highly targeted social engineering tactics and deep subject matter expertise to deliver weaponized versions of legitimate corporate files,” a FireEye spokesperson told Infosecurity in an email at the time.
“This has allowed them to evade traditional detection and attribution.”
Phil Barnett, EMEA general manager at Good Technology, argued that email accounts have become a “yellow brick road” for hackers.
“Unless businesses take responsibility for the security of their data, across all devices, they are leaving themselves exposed and vulnerable to attack. Such cyber-threats must be tackled head on with a combination of containerization of information and employee education,” he added.
“Highly regulated industries require stringent security policies, but threats such as these bring into question their effectiveness. An indestructible perimeter must be built around valuable corporate information unless businesses want hackers to find ‘Oz’ and steal invaluable information.”