NETAPP Inc. (NASDAQ:NTAP) has become the second company in less than a week to have earnings information leaked from an unsecured area of its corporate website.
Bloomberg confirmed to Dow Jones that it retrieved unpublished financial data from the company’s website more than an hour before its scheduled release.
NASDAQ officials halted NetApp’s stock at 3:11 pm ET after the stock had dropped 6.5% on the leaked news, which hit trading desks around 2:45 pm ET.
The company, based in Sunnyvale, CA, told Dow Jones that someone had obtained financial tables that it attaches to its earnings releases from “a restricted area of the company’s website.”
However, a Bloomberg spokesperson said they found NetApp’s financial tables posted on the company’s website without any required password or firewall and that the company had failed to respond to multiple calls to verify the information before the story was published.
Same slack practices as Disney
As we first reported Nov. 12 when The Walt Disney Company’s (NYSE:DIS) earnings release was leaked from its website, Bloomberg uses a sophisticated software program called a spider to crawl key websites for news.
The software is similar to the search software that Google and other search engines use to crawl the web. There is nothing illegal of underhanded in what Bloomberg is doing. Its software can only access information that is publicly accessible.
And as with Disney, it looks to us that NetApp’s own slack security measures and predictable document naming practices allowed either a Bloomberg reporter or their search bot to access the PDF document containing NetApp’s financial statements, which were uploaded to the company’s server in preparation for publishing its earnings release after regular market hours.
URL of pending PDF financials easy to guess
According to the PDF metadata, someone at NetApp yesterday created the PDF of its financial tables at 2:08 pm ET from an Excel spreadsheet. This file was named financial-fy11-q2.pdf and uploaded to an unsecured folder on NetApp’s self-hosted website.
While the PDF document was not linked to any public page on NetApp’s website, anyone with knowledge of NetApp’s prior news release naming and posting practices could have easily guessed the file’s URL.
Here is a list of the URLs for NetApp’s financial statements for the past few quarters:
While they are not all exactly the same, a reporter or a search bot wouldn’t have to try too many permutations to predict the URL of yesterday’s file. This is exactly the same thing that tripped up Disney last week.
In essence, Bloomberg merely stumbled across the document by typing in a few different URLs. It didn’t hack the server or steal the information.
Companies have obligation to safeguard info
It is every public company’s obligation to secure material disclosure documents prior to making the information public. This is cheap and easy to do and often is a standard feature in off-the-shelf web content management software.
That two companies should be caught out like this in a week raises serious questions about companies’ disclosure controls and web security. Unfortunately, IR departments and their executives almost universally pay little attention to their websites. Situations like this are a consequence of that neglect.
Hopefully, these incidents will prompt IR leaders, executives and directors to conduct audits of their website infrastructure and publishing procedures.
(Hat tip to Mike O’Brien)